| Message ID | 20200929101554.8963-1-alex.dewar90@gmail.com |
|---|---|
| State | New |
| Headers | show |
| Series | [v2] net/mlx5e: Fix use of freed pointer | expand |
On Tue, Sep 29, 2020 at 11:15:49AM +0100, Alex Dewar wrote: > If the call to mlx5_fc_create() fails, then shared_counter will be freed > before its member, shared_counter->counter, is accessed to retrieve the > error code. Fix by using an intermediate variable. > > Addresses-Coverity: CID 1497153: Memory - illegal accesses (USE_AFTER_FREE) > Fixes: 1edae2335adf ("net/mlx5e: CT: Use the same counter for both directions") > Signed-off-by: Alex Dewar <alex.dewar90@gmail.com> > --- > v2: > - Add Fixes tag (Leon) > - Use ERR_CAST (Leon) > > Hi Leon, > > I've made the suggested changes. Let me know if there's anything else > you need :) Hi Alex, Saeed already picked Dan's patch. https://lore.kernel.org/linux-rdma/1017ab3724b83818c03dfa7661b3f31827a7f62f.camel@kernel.org/T/#t > > There is also this patch in the series which doesn't seem to have been > reviewed yet: https://lore.kernel.org/lkml/20200927113254.362480-4-alex.dewar90@gmail.com/ Ariel is handling this internally. https://lore.kernel.org/linux-rdma/64f6a3eaaac505c341f996df0b0877ee9af56c00.camel@kernel.org/T/#t Thanks
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c index b5f8ed30047b..1e80e7669995 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c @@ -738,6 +738,7 @@ mlx5_tc_ct_shared_counter_get(struct mlx5_tc_ct_priv *ct_priv, struct mlx5_ct_shared_counter *shared_counter; struct mlx5_core_dev *dev = ct_priv->dev; struct mlx5_ct_entry *rev_entry; + struct mlx5_fc *counter; __be16 tmp_port; /* get the reversed tuple */ @@ -775,12 +776,13 @@ mlx5_tc_ct_shared_counter_get(struct mlx5_tc_ct_priv *ct_priv, if (!shared_counter) return ERR_PTR(-ENOMEM); - shared_counter->counter = mlx5_fc_create(dev, true); - if (IS_ERR(shared_counter->counter)) { + counter = mlx5_fc_create(dev, true); + if (IS_ERR(counter)) { ct_dbg("Failed to create counter for ct entry"); kfree(shared_counter); - return ERR_PTR(PTR_ERR(shared_counter->counter)); + return ERR_CAST(counter); } + shared_counter->counter = counter; refcount_set(&shared_counter->refcount, 1); return shared_counter;
If the call to mlx5_fc_create() fails, then shared_counter will be freed before its member, shared_counter->counter, is accessed to retrieve the error code. Fix by using an intermediate variable. Addresses-Coverity: CID 1497153: Memory - illegal accesses (USE_AFTER_FREE) Fixes: 1edae2335adf ("net/mlx5e: CT: Use the same counter for both directions") Signed-off-by: Alex Dewar <alex.dewar90@gmail.com> --- v2: - Add Fixes tag (Leon) - Use ERR_CAST (Leon) Hi Leon, I've made the suggested changes. Let me know if there's anything else you need :) There is also this patch in the series which doesn't seem to have been reviewed yet: https://lore.kernel.org/lkml/20200927113254.362480-4-alex.dewar90@gmail.com/ Best, Alex drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-)