diff mbox series

net/qlcnic: Fix a use after free in qlcnic_83xx_get_minidump_template

Message ID 20210311040140.7339-1-lyl2019@mail.ustc.edu.cn (mailing list archive)
State Accepted
Commit db74623a3850db99cb9692fda9e836a56b74198d
Delegated to: Netdev Maintainers
Headers show
Series net/qlcnic: Fix a use after free in qlcnic_83xx_get_minidump_template | expand

Checks

Context Check Description
netdev/cover_letter success Link
netdev/fixes_present success Link
netdev/patch_count success Link
netdev/tree_selection success Guessed tree name to be net-next
netdev/subject_prefix warning Target tree name not specified in the subject
netdev/cc_maintainers fail 1 blamed authors not CCed: elfring@users.sourceforge.net; 1 maintainers not CCed: elfring@users.sourceforge.net
netdev/source_inline success Was 0 now: 0
netdev/verify_signedoff success Link
netdev/module_param success Was 0 now: 0
netdev/build_32bit success Errors and warnings before: 0 this patch: 0
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/verify_fixes success Link
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 15 lines checked
netdev/build_allmodconfig_warn success Errors and warnings before: 0 this patch: 0
netdev/header_inline success Link

Commit Message

Lv Yunlong March 11, 2021, 4:01 a.m. UTC 
In qlcnic_83xx_get_minidump_template, fw_dump->tmpl_hdr was freed by
vfree(). But unfortunately, it is used when extended is true.

Fixes: 7061b2bdd620e ("qlogic: Deletion of unnecessary checks before two function calls")
Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
---
 drivers/net/ethernet/qlogic/qlcnic/qlcnic_minidump.c | 3 +++
 1 file changed, 3 insertions(+)

Comments

patchwork-bot+netdevbpf@kernel.org March 12, 2021, 2:30 a.m. UTC | #1 
Hello:

This patch was applied to netdev/net.git (refs/heads/master):

On Wed, 10 Mar 2021 20:01:40 -0800 you wrote:
> In qlcnic_83xx_get_minidump_template, fw_dump->tmpl_hdr was freed by
> vfree(). But unfortunately, it is used when extended is true.
> 
> Fixes: 7061b2bdd620e ("qlogic: Deletion of unnecessary checks before two function calls")
> Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
> ---
>  drivers/net/ethernet/qlogic/qlcnic/qlcnic_minidump.c | 3 +++
>  1 file changed, 3 insertions(+)

Here is the summary with links:
  - net/qlcnic: Fix a use after free in qlcnic_83xx_get_minidump_template
    https://git.kernel.org/netdev/net/c/db74623a3850

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
diff mbox series

Patch

diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_minidump.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_minidump.c
index 7760a3394e93..7ecb3dfe30bd 100644
--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_minidump.c
+++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_minidump.c
@@ -1425,6 +1425,7 @@  void qlcnic_83xx_get_minidump_template(struct qlcnic_adapter *adapter)
 
 	if (fw_dump->tmpl_hdr == NULL || current_version > prev_version) {
 		vfree(fw_dump->tmpl_hdr);
+		fw_dump->tmpl_hdr = NULL;
 
 		if (qlcnic_83xx_md_check_extended_dump_capability(adapter))
 			extended = !qlcnic_83xx_extend_md_capab(adapter);
@@ -1443,6 +1444,8 @@  void qlcnic_83xx_get_minidump_template(struct qlcnic_adapter *adapter)
 			struct qlcnic_83xx_dump_template_hdr *hdr;
 
 			hdr = fw_dump->tmpl_hdr;
+			if (!hdr)
+				return;
 			hdr->drv_cap_mask = 0x1f;
 			fw_dump->cap_mask = 0x1f;
 			dev_info(&pdev->dev,