Message ID | 20200928090556.GA377727@mwanda (mailing list archive) |
---|---|
State | Not Applicable |
Headers | show |
Series | [net-next] net/mlx5e: Fix a use after free on error in mlx5_tc_ct_shared_counter_get() | expand |
On Mon, Sep 28, 2020 at 12:05:56PM +0300, Dan Carpenter wrote: > This code frees "shared_counter" and then dereferences on the next line > to get the error code. > > Fixes: 1edae2335adf ("net/mlx5e: CT: Use the same counter for both directions") > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > --- > drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > Thanks, Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
From: Dan Carpenter <dan.carpenter@oracle.com> Date: Mon, 28 Sep 2020 12:05:56 +0300 > This code frees "shared_counter" and then dereferences on the next line > to get the error code. > > Fixes: 1edae2335adf ("net/mlx5e: CT: Use the same counter for both directions") > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Saeed, I assume you will pick this up. Thank you.
On Mon, 2020-09-28 at 12:29 -0700, David Miller wrote: > From: Dan Carpenter <dan.carpenter@oracle.com> > Date: Mon, 28 Sep 2020 12:05:56 +0300 > > > This code frees "shared_counter" and then dereferences on the next > line > > to get the error code. > > > > Fixes: 1edae2335adf ("net/mlx5e: CT: Use the same counter for both > directions") > > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > > Saeed, I assume you will pick this up. > > Thank you. Applied to net-next-mlx5. Thanks
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c index b5f8ed30047b..cea2070af9af 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c @@ -739,6 +739,7 @@ mlx5_tc_ct_shared_counter_get(struct mlx5_tc_ct_priv *ct_priv, struct mlx5_core_dev *dev = ct_priv->dev; struct mlx5_ct_entry *rev_entry; __be16 tmp_port; + int ret; /* get the reversed tuple */ tmp_port = rev_tuple.port.src; @@ -778,8 +779,9 @@ mlx5_tc_ct_shared_counter_get(struct mlx5_tc_ct_priv *ct_priv, shared_counter->counter = mlx5_fc_create(dev, true); if (IS_ERR(shared_counter->counter)) { ct_dbg("Failed to create counter for ct entry"); + ret = PTR_ERR(shared_counter->counter); kfree(shared_counter); - return ERR_PTR(PTR_ERR(shared_counter->counter)); + return ERR_PTR(ret); } refcount_set(&shared_counter->refcount, 1);
This code frees "shared_counter" and then dereferences on the next line to get the error code. Fixes: 1edae2335adf ("net/mlx5e: CT: Use the same counter for both directions") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> --- drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)