| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 18 Feb 2017 22:18:16 +0100
From: SF Markus Elfring <elfring@...rs.sourceforge.net>
To: linux-rdma@...r.kernel.org, Doug Ledford <dledford@...hat.com>,
Hal Rosenstock <hal.rosenstock@...il.com>,
Leon Romanovsky <leonro@...lanox.com>,
Matan Barak <matanb@...lanox.com>,
Sean Hefty <sean.hefty@...el.com>,
Yishai Hadas <yishaih@...lanox.com>
Cc: LKML <linux-kernel@...r.kernel.org>,
kernel-janitors@...r.kernel.org
Subject: [PATCH 28/29] IB/mlx5: Less function calls in create_kernel_qp()
after error detection
From: Markus Elfring <elfring@...rs.sourceforge.net>
Date: Sat, 18 Feb 2017 21:00:50 +0100
The kfree() function was called in up to five cases
by the create_kernel_qp() function during error handling
even if the passed data structure member contained a null pointer.
* Adjust jump targets according to the Linux coding style convention.
* Split a condition check for memory allocation failures so that
each pointer from these function calls will be checked immediately.
See also background information:
Topic "CWE-754: Improper check for unusual or exceptional conditions"
Link: https://cwe.mitre.org/data/definitions/754.html
Signed-off-by: Markus Elfring <elfring@...rs.sourceforge.net>
---
drivers/infiniband/hw/mlx5/qp.c | 43 ++++++++++++++++++++++++++---------------
1 file changed, 27 insertions(+), 16 deletions(-)
diff --git a/drivers/infiniband/hw/mlx5/qp.c b/drivers/infiniband/hw/mlx5/qp.c
index e6e9b468b206..c47afce5fc6a 100644
--- a/drivers/infiniband/hw/mlx5/qp.c
+++ b/drivers/infiniband/hw/mlx5/qp.c
@@ -930,7 +930,7 @@ static int create_kernel_qp(struct mlx5_ib_dev *dev,
*in = mlx5_vzalloc(*inlen);
if (!*in) {
err = -ENOMEM;
- goto err_buf;
+ goto free_buffer;
}
qpc = MLX5_ADDR_OF(create_qp_in, *in, qpc);
@@ -952,45 +952,56 @@ static int create_kernel_qp(struct mlx5_ib_dev *dev,
err = mlx5_db_alloc(dev->mdev, &qp->db);
if (err) {
mlx5_ib_dbg(dev, "err %d\n", err);
- goto err_free;
+ goto vfree_in;
}
qp->sq.wrid = kmalloc_array(qp->sq.wqe_cnt,
sizeof(*qp->sq.wrid),
GFP_KERNEL);
+ if (!qp->sq.wrid)
+ goto free_db;
+
qp->sq.wr_data = kmalloc_array(qp->sq.wqe_cnt,
sizeof(*qp->sq.wr_data),
GFP_KERNEL);
+ if (!qp->sq.wr_data)
+ goto free_sq_wrid;
+
qp->rq.wrid = kmalloc_array(qp->rq.wqe_cnt,
sizeof(*qp->rq.wrid),
GFP_KERNEL);
+ if (!qp->rq.wrid)
+ goto free_sq_wr_data;
+
qp->sq.w_list = kmalloc_array(qp->sq.wqe_cnt,
sizeof(*qp->sq.w_list),
GFP_KERNEL);
+ if (!qp->sq.w_list)
+ goto free_rq_wrid;
+
qp->sq.wqe_head = kmalloc_array(qp->sq.wqe_cnt,
sizeof(*qp->sq.wqe_head),
GFP_KERNEL);
- if (!qp->sq.wrid || !qp->sq.wr_data || !qp->rq.wrid ||
- !qp->sq.w_list || !qp->sq.wqe_head) {
- err = -ENOMEM;
- goto err_wrid;
- }
+ if (!qp->sq.wqe_head)
+ goto free_sq_w_list;
+
qp->create_type = MLX5_QP_KERNEL;
return 0;
-
-err_wrid:
- kfree(qp->sq.wqe_head);
+free_sq_w_list:
kfree(qp->sq.w_list);
- kfree(qp->sq.wrid);
- kfree(qp->sq.wr_data);
+free_rq_wrid:
kfree(qp->rq.wrid);
+free_sq_wr_data:
+ kfree(qp->sq.wr_data);
+free_sq_wrid:
+ kfree(qp->sq.wrid);
+free_db:
mlx5_db_free(dev->mdev, &qp->db);
-
-err_free:
+ err = -ENOMEM;
+vfree_in:
kvfree(*in);
-
-err_buf:
+free_buffer:
mlx5_buf_free(dev->mdev, &qp->buf);
return err;
}
--
2.11.1
Powered by blists - more mailing lists