Re: [PATCH v2] net/mlx5: Fix use-after-free
From: "Gustavo A. R. Silva"
Date: Thu, 22 Mar 2018 13:44:56 -0500
> _rule_ is being freed and then dereferenced by accessing rule->ctx
>
> Fix this by copying the value returned by PTR_ERR(rule->ctx) into a local
> variable for its safe use after freeing _rule_
>
> Addresses-Coverity-ID: 1466041 ("Read from pointer after free")
> Fixes: 05564d0ae075 ("net/mlx5: Add flow-steering commands for FPGA IPSec
> implementation")
> Reviewed-by: Yuval Shaia
> Signed-off-by: Gustavo A. R. Silva
> ---
> Changes in v2:
> - Use a short subject prefix as suggested by Yuval Shaia.
> - Add Yuval's Reviewed-by.
Applied to net-next.
Thank you.
Re: [PATCH v2] net/mlx5: Fix use-after-free
On Thu, 2018-03-22 at 13:44 -0500, Gustavo A. R. Silva wrote:
> _rule_ is being freed and then dereferenced by accessing rule->ctx
>
> Fix this by copying the value returned by PTR_ERR(rule->ctx) into a
> local
> variable for its safe use after freeing _rule_
>
> Addresses-Coverity-ID: 1466041 ("Read from pointer after free")
> Fixes: 05564d0ae075 ("net/mlx5: Add flow-steering commands for FPGA
> IPSec implementation")
> Reviewed-by: Yuval Shaia
> Signed-off-by: Gustavo A. R. Silva
Acked-by: Saeed Mahameed
> ---
> Changes in v2:
> - Use a short subject prefix as suggested by Yuval Shaia.
> - Add Yuval's Reviewed-by.
>
> drivers/net/ethernet/mellanox/mlx5/core/fpga/ipsec.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fpga/ipsec.c
> b/drivers/net/ethernet/mellanox/mlx5/core/fpga/ipsec.c
> index 4f15685..0f5da49 100644
> --- a/drivers/net/ethernet/mellanox/mlx5/core/fpga/ipsec.c
> +++ b/drivers/net/ethernet/mellanox/mlx5/core/fpga/ipsec.c
> @@ -1061,8 +1061,9 @@ static int fpga_ipsec_fs_create_fte(struct
> mlx5_core_dev *dev,
>
> rule->ctx = mlx5_fpga_ipsec_fs_create_sa_ctx(dev, fte,
> is_egress);
> if (IS_ERR(rule->ctx)) {
> + int err = PTR_ERR(rule->ctx);
> kfree(rule);
> - return PTR_ERR(rule->ctx);
> + return err;
> }
>
> rule->fte = fte;
[PATCH v2] net/mlx5: Fix use-after-free
_rule_ is being freed and then dereferenced by accessing rule->ctx
Fix this by copying the value returned by PTR_ERR(rule->ctx) into a local
variable for its safe use after freeing _rule_
Addresses-Coverity-ID: 1466041 ("Read from pointer after free")
Fixes: 05564d0ae075 ("net/mlx5: Add flow-steering commands for FPGA IPSec
implementation")
Reviewed-by: Yuval Shaia
Signed-off-by: Gustavo A. R. Silva
---
Changes in v2:
- Use a short subject prefix as suggested by Yuval Shaia.
- Add Yuval's Reviewed-by.
drivers/net/ethernet/mellanox/mlx5/core/fpga/ipsec.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fpga/ipsec.c
b/drivers/net/ethernet/mellanox/mlx5/core/fpga/ipsec.c
index 4f15685..0f5da49 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/fpga/ipsec.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/fpga/ipsec.c
@@ -1061,8 +1061,9 @@ static int fpga_ipsec_fs_create_fte(struct mlx5_core_dev
*dev,
rule->ctx = mlx5_fpga_ipsec_fs_create_sa_ctx(dev, fte, is_egress);
if (IS_ERR(rule->ctx)) {
+ int err = PTR_ERR(rule->ctx);
kfree(rule);
- return PTR_ERR(rule->ctx);
+ return err;
}
rule->fte = fte;
--
2.7.4
