diff mbox series

net: bnx2x: fix variable dereferenced before check

Message ID 20211113223636.11446-1-paskripkin@gmail.com (mailing list archive)
State Accepted
Commit f8885ac89ce310570e5391fe0bf0ec9c7c9b4fdc
Delegated to: Netdev Maintainers
Headers show
Series net: bnx2x: fix variable dereferenced before check | expand

Checks

Context Check Description
netdev/fixes_present success Fixes tag not required for -next series
netdev/subject_prefix warning Target tree name not specified in the subject
netdev/cover_letter success Single patches do not need cover letters
netdev/patch_count success Link
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 1 this patch: 1
netdev/cc_maintainers fail 3 blamed authors not CCed: dmitry@broadcom.com eilong@broadcom.com mchan@broadcom.com; 3 maintainers not CCed: dmitry@broadcom.com eilong@broadcom.com mchan@broadcom.com
netdev/build_clang success Errors and warnings before: 0 this patch: 0
netdev/module_param success Was 0 now: 0
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 1 this patch: 1
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 14 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0
netdev/tree_selection success Guessing tree name failed - patch did not apply

Commit Message

Pavel Skripkin Nov. 13, 2021, 10:36 p.m. UTC 
Smatch says:
	bnx2x_init_ops.h:640 bnx2x_ilt_client_mem_op()
	warn: variable dereferenced before check 'ilt' (see line 638)

Move ilt_cli variable initialization _after_ ilt validation, because
it's unsafe to deref the pointer before validation check.

Fixes: 523224a3b3cd ("bnx2x, cnic, bnx2i: use new FW/HSI")
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
---
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_init_ops.h | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

Comments

Pavel Skripkin Nov. 13, 2021, 10:41 p.m. UTC | #1 
On 11/14/21 01:36, Pavel Skripkin wrote:
> Smatch says:
> 	bnx2x_init_ops.h:640 bnx2x_ilt_client_mem_op()
> 	warn: variable dereferenced before check 'ilt' (see line 638)
> 
> Move ilt_cli variable initialization _after_ ilt validation, because
> it's unsafe to deref the pointer before validation check.
> 
> Fixes: 523224a3b3cd ("bnx2x, cnic, bnx2i: use new FW/HSI")
> Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
> ---
>   drivers/net/ethernet/broadcom/bnx2x/bnx2x_init_ops.h | 4 +++-
>   1 file changed, 3 insertions(+), 1 deletion(-)
> 

Btw, looks like GR-everest-linux-l2@marvell.com doesn't exist anymore. 
It's listed in 2 MAINTAINERS entries. Should it be removed from 
MAINTAINERS file?


Quoting private email from postmaster@marvel.com:

> Delivery has failed to these recipients or groups:
> 
> gr-everest-linux-l2@marvell.com<mailto:gr-everest-linux-l2@marvell.com>
> The email address you entered couldn't be found. Please check the recipient's email address and try to resend the message. If the problem continues, please contact your helpdesk.





With regards,
Pavel Skripkin
patchwork-bot+netdevbpf@kernel.org Nov. 15, 2021, 1:30 p.m. UTC | #2 
Hello:

This patch was applied to netdev/net.git (master)
by David S. Miller <davem@davemloft.net>:

On Sun, 14 Nov 2021 01:36:36 +0300 you wrote:
> Smatch says:
> 	bnx2x_init_ops.h:640 bnx2x_ilt_client_mem_op()
> 	warn: variable dereferenced before check 'ilt' (see line 638)
> 
> Move ilt_cli variable initialization _after_ ilt validation, because
> it's unsafe to deref the pointer before validation check.
> 
> [...]

Here is the summary with links:
  - net: bnx2x: fix variable dereferenced before check
    https://git.kernel.org/netdev/net/c/f8885ac89ce3

You are awesome, thank you!
Jakub Kicinski Nov. 15, 2021, 2:12 p.m. UTC | #3 
On Sun, 14 Nov 2021 01:41:59 +0300 Pavel Skripkin wrote:
> Btw, looks like GR-everest-linux-l2@marvell.com doesn't exist anymore. 
> It's listed in 2 MAINTAINERS entries. Should it be removed from 
> MAINTAINERS file?

Yes, if it bounces it should be removed. Can you send a patch?
Johan Hovold Nov. 18, 2021, 8:51 a.m. UTC | #4 
[ Adding Dan. ]

On Sun, Nov 14, 2021 at 01:36:36AM +0300, Pavel Skripkin wrote:
> Smatch says:
> 	bnx2x_init_ops.h:640 bnx2x_ilt_client_mem_op()
> 	warn: variable dereferenced before check 'ilt' (see line 638)
> 
> Move ilt_cli variable initialization _after_ ilt validation, because
> it's unsafe to deref the pointer before validation check.

It seems smatch is confused here. There is no dereference happening
until after the check, we're just determining the address when
initialising ilt_cli.

I know this has been applied, and the change itself is fine, but the
patch description is wrong and the Fixes tag is unwarranted.
 
> Fixes: 523224a3b3cd ("bnx2x, cnic, bnx2i: use new FW/HSI")
> Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
> ---
>  drivers/net/ethernet/broadcom/bnx2x/bnx2x_init_ops.h | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_init_ops.h b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_init_ops.h
> index 1835d2e451c0..fc7fce642666 100644
> --- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_init_ops.h
> +++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_init_ops.h
> @@ -635,11 +635,13 @@ static int bnx2x_ilt_client_mem_op(struct bnx2x *bp, int cli_num,
>  {
>  	int i, rc;
>  	struct bnx2x_ilt *ilt = BP_ILT(bp);
> -	struct ilt_client_info *ilt_cli = &ilt->clients[cli_num];
> +	struct ilt_client_info *ilt_cli;
>  
>  	if (!ilt || !ilt->lines)
>  		return -1;
>  
> +	ilt_cli = &ilt->clients[cli_num];
> +
>  	if (ilt_cli->flags & (ILT_CLIENT_SKIP_INIT | ILT_CLIENT_SKIP_MEM))
>  		return 0;

Johan
Pavel Skripkin Nov. 18, 2021, 9 a.m. UTC | #5 
On 11/18/21 11:51, Johan Hovold wrote:
> [ Adding Dan. ]
> 
> On Sun, Nov 14, 2021 at 01:36:36AM +0300, Pavel Skripkin wrote:
>> Smatch says:
>> 	bnx2x_init_ops.h:640 bnx2x_ilt_client_mem_op()
>> 	warn: variable dereferenced before check 'ilt' (see line 638)
>> 
>> Move ilt_cli variable initialization _after_ ilt validation, because
>> it's unsafe to deref the pointer before validation check.
> 
> It seems smatch is confused here. There is no dereference happening
> until after the check, we're just determining the address when
> initialising ilt_cli.
> 
> I know this has been applied, and the change itself is fine, but the
> patch description is wrong and the Fixes tag is unwarranted.
>   

I agree. I came up with same thing after the patch has been applied. I 
thought about a revert, but seems it's not necessary, since there is no 
function change.

I should check smatch warnings more carefully next time, can't say why I 
didn't notice it before sending :(

thanks



With regards,
Pavel Skripkin
Dan Carpenter Nov. 18, 2021, 3:09 p.m. UTC | #6 
On Thu, Nov 18, 2021 at 09:51:57AM +0100, Johan Hovold wrote:
> [ Adding Dan. ]
> 
> On Sun, Nov 14, 2021 at 01:36:36AM +0300, Pavel Skripkin wrote:
> > Smatch says:
> > 	bnx2x_init_ops.h:640 bnx2x_ilt_client_mem_op()
> > 	warn: variable dereferenced before check 'ilt' (see line 638)
> > 
> > Move ilt_cli variable initialization _after_ ilt validation, because
> > it's unsafe to deref the pointer before validation check.
> 
> It seems smatch is confused here. There is no dereference happening
> until after the check, we're just determining the address when
> initialising ilt_cli.

Yep.  You're right.  I will fix this.  I've written a fix and I'll test
it tonight.

regards,
dan carpenter
diff mbox series

Patch

diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_init_ops.h b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_init_ops.h
index 1835d2e451c0..fc7fce642666 100644
--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_init_ops.h
+++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_init_ops.h
@@ -635,11 +635,13 @@  static int bnx2x_ilt_client_mem_op(struct bnx2x *bp, int cli_num,
 {
 	int i, rc;
 	struct bnx2x_ilt *ilt = BP_ILT(bp);
-	struct ilt_client_info *ilt_cli = &ilt->clients[cli_num];
+	struct ilt_client_info *ilt_cli;
 
 	if (!ilt || !ilt->lines)
 		return -1;
 
+	ilt_cli = &ilt->clients[cli_num];
+
 	if (ilt_cli->flags & (ILT_CLIENT_SKIP_INIT | ILT_CLIENT_SKIP_MEM))
 		return 0;