| Message ID | 20230704070640.368652-1-shaozhengchao@huawei.com (mailing list archive) |
|---|---|
| State | Handled Elsewhere |
| Headers | show |
| Series | [net] net/mlx5e: fix double free in macsec_fs_tx_create_crypto_table_groups | expand |
On Tue, Jul 04, 2023 at 03:06:40PM +0800, Zhengchao Shao wrote: > In function macsec_fs_tx_create_crypto_table_groups(), when the ft->g > memory is successfully allocated but the 'in' memory fails to be > allocated, the memory pointed to by ft->g is released once. And in function > macsec_fs_tx_create(), macsec_fs_tx_destroy() is called to release the > memory pointed to by ft->g again. This will cause double free problem. > > Fixes: e467b283ffd5 ("net/mlx5e: Add MACsec TX steering rules") > Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com> Reviewed-by: Simon Horman <simon.horman@corigine.com>
On Tue, Jul 04, 2023 at 03:06:40PM +0800, Zhengchao Shao wrote: > In function macsec_fs_tx_create_crypto_table_groups(), when the ft->g > memory is successfully allocated but the 'in' memory fails to be > allocated, the memory pointed to by ft->g is released once. And in function > macsec_fs_tx_create(), macsec_fs_tx_destroy() is called to release the > memory pointed to by ft->g again. This will cause double free problem. This is perfect example, why it is anti-pattern to have one global destroy function like macsec_fs_tx_destroy(), which hides multiple class of errors: wrong release order, double free e.t.c > > Fixes: e467b283ffd5 ("net/mlx5e: Add MACsec TX steering rules") > Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com> > --- > drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec_fs.c | 1 + > 1 file changed, 1 insertion(+) > Thanks, Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec_fs.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec_fs.c index 7fc901a6ec5f..414e28584881 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec_fs.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec_fs.c @@ -161,6 +161,7 @@ static int macsec_fs_tx_create_crypto_table_groups(struct mlx5e_flow_table *ft) if (!in) { kfree(ft->g); + ft->g = NULL; return -ENOMEM; }
In function macsec_fs_tx_create_crypto_table_groups(), when the ft->g memory is successfully allocated but the 'in' memory fails to be allocated, the memory pointed to by ft->g is released once. And in function macsec_fs_tx_create(), macsec_fs_tx_destroy() is called to release the memory pointed to by ft->g again. This will cause double free problem. Fixes: e467b283ffd5 ("net/mlx5e: Add MACsec TX steering rules") Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com> --- drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec_fs.c | 1 + 1 file changed, 1 insertion(+)