lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 28 Sep 2020 10:43:01 +0300 From: Leon Romanovsky <leon@...nel.org> To: Alex Dewar <alex.dewar90@...il.com> Cc: Saeed Mahameed <saeedm@...dia.com>, "David S. Miller" <davem@...emloft.net>, Jakub Kicinski <kuba@...nel.org>, Roi Dayan <roid@...lanox.com>, Oz Shlomo <ozsh@...lanox.com>, Paul Blakey <paulb@...lanox.com>, Ariel Levkovich <lariel@...dia.com>, Eli Britstein <elibr@...lanox.com>, netdev@...r.kernel.org, linux-rdma@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH 3/3] net/mlx5e: Fix use of freed pointer On Sun, Sep 27, 2020 at 12:32:53PM +0100, Alex Dewar wrote: > If the call to mlx5_fc_create() fails, then shared_counter will be freed > before its member, shared_counter->counter, is accessed to retrieve the > error code. Fix by using an intermediate variable. > > Addresses-Coverity: CID 1497153: Memory - illegal accesses (USE_AFTER_FREE) > Signed-off-by: Alex Dewar <alex.dewar90@...il.com> > --- Please add Fixes line. > drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c | 8 +++++--- > 1 file changed, 5 insertions(+), 3 deletions(-) > > diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c > index b5f8ed30047b..5851a1dfe6e4 100644 > --- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c > +++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c > @@ -738,6 +738,7 @@ mlx5_tc_ct_shared_counter_get(struct mlx5_tc_ct_priv *ct_priv, > struct mlx5_ct_shared_counter *shared_counter; > struct mlx5_core_dev *dev = ct_priv->dev; > struct mlx5_ct_entry *rev_entry; > + struct mlx5_fc *counter; > __be16 tmp_port; > > /* get the reversed tuple */ > @@ -775,12 +776,13 @@ mlx5_tc_ct_shared_counter_get(struct mlx5_tc_ct_priv *ct_priv, > if (!shared_counter) > return ERR_PTR(-ENOMEM); > > - shared_counter->counter = mlx5_fc_create(dev, true); > - if (IS_ERR(shared_counter->counter)) { > + counter = mlx5_fc_create(dev, true); > + if (IS_ERR(counter)) { > ct_dbg("Failed to create counter for ct entry"); > kfree(shared_counter); > - return ERR_PTR(PTR_ERR(shared_counter->counter)); > + return (struct mlx5_ct_shared_counter *)counter; return ERR_CAST(counter); > } > + shared_counter->counter = counter; > > refcount_set(&shared_counter->refcount, 1); > return shared_counter; > -- > 2.28.0 >
Powered by blists - more mailing lists