| Message ID | 20180322180342.GA18505@embeddedgus (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
On Thu, Mar 22, 2018 at 01:03:42PM -0500, Gustavo A. R. Silva wrote: > _rule_ is being freed and then dereferenced by accessing rule->ctx > > Fix this by copying the value returned by PTR_ERR(rule->ctx) into a local > variable for its safe use after freeing _rule_ > > Addresses-Coverity-ID: 1466041 ("Read from pointer after free") > Fixes: 05564d0ae075 ("net/mlx5: Add flow-steering commands for FPGA IPSec implementation") > Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com> Prefix should not be that long, a short one as this is enough. net/mlx5: Fix use-after-free Besides that - lgtm. Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com> > --- > drivers/net/ethernet/mellanox/mlx5/core/fpga/ipsec.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fpga/ipsec.c b/drivers/net/ethernet/mellanox/mlx5/core/fpga/ipsec.c > index 4f15685..0f5da49 100644 > --- a/drivers/net/ethernet/mellanox/mlx5/core/fpga/ipsec.c > +++ b/drivers/net/ethernet/mellanox/mlx5/core/fpga/ipsec.c > @@ -1061,8 +1061,9 @@ static int fpga_ipsec_fs_create_fte(struct mlx5_core_dev *dev, > > rule->ctx = mlx5_fpga_ipsec_fs_create_sa_ctx(dev, fte, is_egress); > if (IS_ERR(rule->ctx)) { > + int err = PTR_ERR(rule->ctx); > kfree(rule); > - return PTR_ERR(rule->ctx); > + return err; > } > > rule->fte = fte; > -- > 2.7.4 > > -- > To unsubscribe from this list: send the line "unsubscribe linux-rdma" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Hi Yuval, On 03/22/2018 01:32 PM, Yuval Shaia wrote: > On Thu, Mar 22, 2018 at 01:03:42PM -0500, Gustavo A. R. Silva wrote: >> _rule_ is being freed and then dereferenced by accessing rule->ctx >> >> Fix this by copying the value returned by PTR_ERR(rule->ctx) into a local >> variable for its safe use after freeing _rule_ >> >> Addresses-Coverity-ID: 1466041 ("Read from pointer after free") >> Fixes: 05564d0ae075 ("net/mlx5: Add flow-steering commands for FPGA IPSec implementation") >> Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com> > > Prefix should not be that long, a short one as this is enough. > Yeah. Actually, I was suspicious about it. > net/mlx5: Fix use-after-free > > Besides that - lgtm. > > Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com> > I'll send v2 with a short prefix and add your Reviewed-by. Thanks for the feedback. -- Gustavo -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fpga/ipsec.c b/drivers/net/ethernet/mellanox/mlx5/core/fpga/ipsec.c index 4f15685..0f5da49 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/fpga/ipsec.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/fpga/ipsec.c @@ -1061,8 +1061,9 @@ static int fpga_ipsec_fs_create_fte(struct mlx5_core_dev *dev, rule->ctx = mlx5_fpga_ipsec_fs_create_sa_ctx(dev, fte, is_egress); if (IS_ERR(rule->ctx)) { + int err = PTR_ERR(rule->ctx); kfree(rule); - return PTR_ERR(rule->ctx); + return err; } rule->fte = fte;
_rule_ is being freed and then dereferenced by accessing rule->ctx Fix this by copying the value returned by PTR_ERR(rule->ctx) into a local variable for its safe use after freeing _rule_ Addresses-Coverity-ID: 1466041 ("Read from pointer after free") Fixes: 05564d0ae075 ("net/mlx5: Add flow-steering commands for FPGA IPSec implementation") Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com> --- drivers/net/ethernet/mellanox/mlx5/core/fpga/ipsec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)