In p9_cm_event_handler(), there is an if statement on 260 to check
whether rdma is NULL, which indicates that rdma can be NULL.
If so, using rdma->xxx may cause a possible null-pointer dereference.
To fix these bugs, rdma is checked before being used.
These bugs are found by a static analysis tool STCheck written by us.
Signed-off-by: Jia-Ju Bai <baijiaju1...@gmail.com>
---
net/9p/trans_rdma.c | 24 ++++++++++++++++--------
1 file changed, 16 insertions(+), 8 deletions(-)
diff --git a/net/9p/trans_rdma.c b/net/9p/trans_rdma.c
index bac8dad5dd69..eba3c5fc2731 100644
--- a/net/9p/trans_rdma.c
+++ b/net/9p/trans_rdma.c
@@ -242,18 +242,24 @@ p9_cm_event_handler(struct rdma_cm_id *id, struct
rdma_cm_event *event)
struct p9_trans_rdma *rdma = c->trans;
switch (event->event) {
case RDMA_CM_EVENT_ADDR_RESOLVED:
- BUG_ON(rdma->state != P9_RDMA_INIT);
- rdma->state = P9_RDMA_ADDR_RESOLVED;
+ if (rdma) {
+ BUG_ON(rdma->state != P9_RDMA_INIT);
+ rdma->state = P9_RDMA_ADDR_RESOLVED;
+ }
break;
case RDMA_CM_EVENT_ROUTE_RESOLVED:
- BUG_ON(rdma->state != P9_RDMA_ADDR_RESOLVED);
- rdma->state = P9_RDMA_ROUTE_RESOLVED;
+ if (rdma) {
+ BUG_ON(rdma->state != P9_RDMA_ADDR_RESOLVED);
+ rdma->state = P9_RDMA_ROUTE_RESOLVED;
+ }
break;
case RDMA_CM_EVENT_ESTABLISHED:
- BUG_ON(rdma->state != P9_RDMA_ROUTE_RESOLVED);
- rdma->state = P9_RDMA_CONNECTED;
+ if (rdma) {
+ BUG_ON(rdma->state != P9_RDMA_ROUTE_RESOLVED);
+ rdma->state = P9_RDMA_CONNECTED;
+ }
break;
case RDMA_CM_EVENT_DISCONNECTED:
@@ -277,12 +283,14 @@ p9_cm_event_handler(struct rdma_cm_id *id, struct
rdma_cm_event *event)
case RDMA_CM_EVENT_ADDR_ERROR:
case RDMA_CM_EVENT_UNREACHABLE:
c->status = Disconnected;
- rdma_disconnect(rdma->cm_id);
+ if (rdma)
+ rdma_disconnect(rdma->cm_id);
break;
default:
BUG();
}
- complete(&rdma->cm_done);
+ if (rdma)
+ complete(&rdma->cm_done);
return 0;
}
--
2.17.0
