Re: [PATCH] IB/mlx5: Fix potential NULL dereference in query_device

Next message: Shengjiu Wang: "Re: [PATCH 11/11] ASoC: fsl_easrc: Change the type for iec958 channel status controls"
Previous message: Greg KH: "Re: [PATCH 6.19.y 2/2] rust: pin-init: replace shadowed return token by `unsafe`-to-create token"
In reply to: Prathamesh Deshpande: "[PATCH] IB/mlx5: Fix potential NULL dereference in query_device"
Next in thread: Prathamesh Deshpande: "Re: [PATCH] IB/mlx5: Fix potential NULL dereference in query_device"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Leon Romanovsky

Date: Tue Mar 31 2026 - 09:55:02 EST

On Tue, Mar 31, 2026 at 02:44:27AM +0100, Prathamesh Deshpande wrote:
> Smatch reported an inconsistent NULL check for 'uhw' in
> mlx5_ib_query_device(). While 'uhw_outlen' is checked at the end of
> the function before calling ib_copy_to_udata(), 'uhw' is explicitly
> checked for NULL earlier in the same function.
>
> If a caller provides a non-zero 'uhw_outlen' but a NULL 'uhw' pointer,
> ib_copy_to_udata() will attempt to dereference 'uhw',

How is it possible?