lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:   Sat,  3 Oct 2020 12:10:50 +0100
From:   Alex Dewar <alex.dewar90@...il.com>
To:     unlisted-recipients:; (no To-header on input)
Cc:     Alex Dewar <alex.dewar90@...il.com>,
        Saeed Mahameed <saeedm@...dia.com>,
        Leon Romanovsky <leon@...nel.org>,
        "David S. Miller" <davem@...emloft.net>,
        Jakub Kicinski <kuba@...nel.org>,
        "Gustavo A. R. Silva" <gustavoars@...nel.org>,
        netdev@...r.kernel.org, linux-rdma@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: [PATCH] net/mlx5e: Fix freeing of unassigned pointer

Commit ff7ea04ad579 ("net/mlx5e: Fix potential null pointer dereference")
added some missing null checks but the error handling in
mlx5e_alloc_flow() was left broken: the variable attr is passed to kfree
although it is never assigned to and never needs to be freed in this
function. Fix this.

Addresses-Coverity-ID: 1497536 ("Memory - illegal accesses")
Fixes: ff7ea04ad579 ("net/mlx5e: Fix potential null pointer dereference")
Signed-off-by: Alex Dewar <alex.dewar90@...il.com>
---
 drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
index a0c356987e1a..88298e96c4ea 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
@@ -4536,13 +4536,14 @@ mlx5e_alloc_flow(struct mlx5e_priv *priv, int attr_size,
 	struct mlx5e_tc_flow_parse_attr *parse_attr;
 	struct mlx5_flow_attr *attr;
 	struct mlx5e_tc_flow *flow;
-	int err = -ENOMEM;
 	int out_index;
 
 	flow = kzalloc(sizeof(*flow), GFP_KERNEL);
+	if (!flow)
+		return -ENOMEM;
 	parse_attr = kvzalloc(sizeof(*parse_attr), GFP_KERNEL);
-	if (!parse_attr || !flow)
-		goto err_free;
+	if (!parse_attr)
+		goto err_free_flow;
 
 	flow->flags = flow_flags;
 	flow->cookie = f->cookie;
@@ -4550,7 +4551,7 @@ mlx5e_alloc_flow(struct mlx5e_priv *priv, int attr_size,
 
 	attr = mlx5_alloc_flow_attr(get_flow_name_space(flow));
 	if (!attr)
-		goto err_free;
+		goto err_free_parse_attr;
 
 	flow->attr = attr;
 
@@ -4566,11 +4567,11 @@ mlx5e_alloc_flow(struct mlx5e_priv *priv, int attr_size,
 
 	return 0;
 
-err_free:
-	kfree(flow);
+err_free_parse_attr:
 	kvfree(parse_attr);
-	kfree(attr);
-	return err;
+err_free_flow:
+	kfree(flow);
+	return -ENOMEM;
 }
 
 static void
-- 
2.28.0

Powered by blists - more mailing lists