RDMA/siw: Fix potential NULL pointer dereference in header processing

YunJe Shin · rleon · commit 14ab3da122bd · 2026-02-05T07:46:52.000-05:00
If siw_get_hdr() returns -EINVAL before set_rx_fpdu_context(), qp->rx_fpdu can be NULL. The error path in siw_tcp_rx_data() dereferences qp->rx_fpdu->more_ddp_segs without checking, which may lead to a NULL pointer deref. Only check more_ddp_segs when rx_fpdu is present. KASAN splat: [ 101.384271] KASAN: null-ptr-deref in range [0x00000000000000c0-0x00000000000000c7] [ 101.385869] RIP: 0010:siw_tcp_rx_data+0x13ad/0x1e50 Fixes: 8b6a361 ("rdma/siw: receive path") Signed-off-by: YunJe Shin <ioerts@kookmin.ac.kr> Link: https://patch.msgid.link/20260204092546.489842-1-ioerts@kookmin.ac.kr Acked-by: Bernard Metzler <bernard.metzler@linux.dev> Signed-off-by: Leon Romanovsky <leon@kernel.org>
diff --git a/drivers/infiniband/sw/siw/siw_qp_rx.c b/drivers/infiniband/sw/siw/siw_qp_rx.c
@@ -1435,7 +1435,8 @@ int siw_tcp_rx_data(read_descriptor_t *rd_desc, struct sk_buff *skb,
 		}
 		if (unlikely(rv != 0 && rv != -EAGAIN)) {
 			if ((srx->state > SIW_GET_HDR ||
-			     qp->rx_fpdu->more_ddp_segs) && run_completion)
+			     (qp->rx_fpdu && qp->rx_fpdu->more_ddp_segs)) &&
+			    run_completion)
 				siw_rdmap_complete(qp, rv);
 
 			siw_dbg_qp(qp, "rx error %d, rx state %d\n", rv,

Original file line number	Diff line number	Diff line change
`@@ -1435,7 +1435,8 @@ int siw_tcp_rx_data(read_descriptor_t rd_desc, struct sk_buff skb,`
`1435`	`1435`	`}`
`1436`	`1436`	`if (unlikely(rv != 0 && rv != -EAGAIN)) {`
`1437`	`1437`	`if ((srx->state > SIW_GET_HDR \|\|`
`1438`		`- qp->rx_fpdu->more_ddp_segs) && run_completion)`
	`1438`	`+ (qp->rx_fpdu && qp->rx_fpdu->more_ddp_segs)) &&`
	`1439`	`+ run_completion)`
`1439`	`1440`	`siw_rdmap_complete(qp, rv);`
`1440`	`1441`
`1441`	`1442`	`siw_dbg_qp(qp, "rx error %d, rx state %d\n", rv,`