Re: [PATCH net-next v09 2/9] hinic3: Add PF management interfaces

Next message: Randy Jennings: "Re: [RFC PATCH 08/14] nvme: Implement cross-controller reset recovery"
Previous message: Zeng Heng: "[PATCH] arm64/mpam: Support partial-core boot for MPAM"
In reply to: Fan Gong: "[PATCH net-next v09 2/9] hinic3: Add PF management interfaces"
Next in thread: Fan Gong: "[PATCH net-next v09 6/9] hinic3: Add .ndo_vlan_rx_add/kill_vid and .ndo_validate_addr"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Fan Gong

Date: Tue Jan 06 2026 - 22:14:23 EST

> > +static void hinic3_init_mgmt_msg_work(struct hinic3_msg_pf_to_mgmt *pf_to_mgmt,
> > + struct hinic3_recv_msg *recv_msg)
> > +{
> > + struct mgmt_msg_handle_work *mgmt_work;
> > +
> > + mgmt_work = kmalloc(sizeof(*mgmt_work), GFP_KERNEL);
> > + if (!mgmt_work)
> > + return;
> > +
> > + if (recv_msg->msg_len) {
> > + mgmt_work->msg = kmalloc(recv_msg->msg_len, GFP_KERNEL);
> > + if (!mgmt_work->msg) {
> > + kfree(mgmt_work);
> > + return;
> > + }
> > + }
>
> When recv_msg->msg_len is zero, the above conditional is not taken, leaving
> mgmt_work->msg uninitialized. The work handler later calls kfree() on this
> uninitialized pointer at the "out" label in hinic3_recv_mgmt_msg_work_handler().
>
> A zero-length message can arrive when seg_len is 0 in hinic3_recv_msg_add_seg(),
> which only validates seg_len > MGMT_SEG_LEN_MAX but does not reject seg_len == 0.
>
> Should mgmt_work->msg be initialized to NULL before the conditional, or should
> an else clause set it to NULL?

We will address the AI review comments in patch 2/5/8 sooner.