Commit 822a592d authored Nov 22, 2024 by Mikhail Lobanov Committed by Dong Chenchen Nov 22, 2024

RDMA/cxgb4: Added NULL check for lookup_atid

stable inclusion
from stable-v5.10.227
commit dd598ac57dcae796cb58551074660c39b43fb155
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYQRV
CVE: CVE-2024-47749

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=dd598ac57dcae796cb58551074660c39b43fb155



--------------------------------

[ Upstream commit e766e6a92410ca269161de059fff0843b8ddd65f ]

The lookup_atid() function can return NULL if the ATID is
invalid or does not exist in the identifier table, which
could lead to dereferencing a null pointer without a
check in the `act_establish()` and `act_open_rpl()` functions.
Add a NULL check to prevent null pointer dereferencing.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: cfdda9d7 ("RDMA/cxgb4: Add driver for Chelsio T4 RNIC")
Signed-off-by: Mikhail Lobanov <m.lobanov@rosalinux.ru>
Link: https://patch.msgid.link/20240912145844.77516-1-m.lobanov@rosalinux.ru


Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Dong Chenchen <dongchenchen2@huawei.com>

parent 81248561

drivers/infiniband/hw/cxgb4/cm.c

+5 −0

Original line number	Diff line number	Diff line
		@@ -1222,6 +1222,8 @@ static int act_establish(struct c4iw_dev dev, struct sk_buff skb)
		int ret;

		ep = lookup_atid(t, atid);
		if (!ep)
		return -EINVAL;

		pr_debug("ep %p tid %u snd_isn %u rcv_isn %u\n", ep, tid,
		be32_to_cpu(req->snd_isn), be32_to_cpu(req->rcv_isn));
		@@ -2279,6 +2281,9 @@ static int act_open_rpl(struct c4iw_dev dev, struct sk_buff skb)
		int ret = 0;

		ep = lookup_atid(t, atid);
		if (!ep)
		return -EINVAL;

		la = (struct sockaddr_in *)&ep->com.local_addr;
		ra = (struct sockaddr_in *)&ep->com.remote_addr;
		la6 = (struct sockaddr_in6 *)&ep->com.local_addr;