[net] chelsio/chtls: fix a double free in chtls_setkey()

Commit Message

Dan Carpenter Dec. 3, 2020, 8:44 a.m. UTC

The "skb" is freed by the transmit code in cxgb4_ofld_send() and we
shouldn't use it again.  But in the current code, if we hit an error
later on in the function then the clean up code will call kfree_skb(skb)
and so it causes a double free.

Set the "skb" to NULL and that makes the kfree_skb() a no-op.

Fixes: d25f2f71f653 ("crypto: chtls - Program the TLS session Key")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
 drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls_hw.c | 1 +
 1 file changed, 1 insertion(+)

Comments

Jakub Kicinski Dec. 3, 2020, 6:55 p.m. UTC | #1

On Thu, 3 Dec 2020 11:44:31 +0300 Dan Carpenter wrote:
> The "skb" is freed by the transmit code in cxgb4_ofld_send() and we
> shouldn't use it again.  But in the current code, if we hit an error
> later on in the function then the clean up code will call kfree_skb(skb)
> and so it causes a double free.
> 
> Set the "skb" to NULL and that makes the kfree_skb() a no-op.
> 
> Fixes: d25f2f71f653 ("crypto: chtls - Program the TLS session Key")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

Applied, thanks!

Patch

diff --git a/drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls_hw.c b/drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls_hw.c
index 62c829023da5..a4fb463af22a 100644
--- a/drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls_hw.c
+++ b/drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls_hw.c
@@ -391,6 +391,7 @@  int chtls_setkey(struct chtls_sock *csk, u32 keylen,
 	csk->wr_unacked += DIV_ROUND_UP(len, 16);
 	enqueue_wr(csk, skb);
 	cxgb4_ofld_send(csk->egress_dev, skb);
+	skb = NULL;
 
 	chtls_set_scmd(csk);
 	/* Clear quiesce for Rx key */