* [PATCH net] qed: Use after free in qed_rdma_free()
@ 2018-03-13 9:09 Dan Carpenter
2018-03-13 9:40 ` Kalderon, Michal
2018-03-13 14:55 ` David Miller
0 siblings, 2 replies; 3+ messages in thread
From: Dan Carpenter @ 2018-03-13 9:09 UTC (permalink / raw)
To: Ariel Elior, Michal Kalderon; +Cc: everest-linux-l2, netdev, kernel-janitors
We're dereferencing "p_hwfn->p_rdma_info" but that is freed on the line
before in qed_rdma_resc_free(p_hwfn).
Fixes: 9de506a547c0 ("qed: Free RoCE ILT Memory on rmmod qedr")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/drivers/net/ethernet/qlogic/qed/qed_rdma.c b/drivers/net/ethernet/qlogic/qed/qed_rdma.c
index f3ee6538b553..a411f9c702a1 100644
--- a/drivers/net/ethernet/qlogic/qed/qed_rdma.c
+++ b/drivers/net/ethernet/qlogic/qed/qed_rdma.c
@@ -379,8 +379,8 @@ static void qed_rdma_free(struct qed_hwfn *p_hwfn)
DP_VERBOSE(p_hwfn, QED_MSG_RDMA, "Freeing RDMA\n");
qed_rdma_free_reserved_lkey(p_hwfn);
- qed_rdma_resc_free(p_hwfn);
qed_cxt_free_proto_ilt(p_hwfn, p_hwfn->p_rdma_info->proto);
+ qed_rdma_resc_free(p_hwfn);
}
static void qed_rdma_get_guid(struct qed_hwfn *p_hwfn, u8 *guid)
^ permalink raw reply related [flat|nested] 3+ messages in thread
* RE: [PATCH net] qed: Use after free in qed_rdma_free()
2018-03-13 9:09 [PATCH net] qed: Use after free in qed_rdma_free() Dan Carpenter
@ 2018-03-13 9:40 ` Kalderon, Michal
2018-03-13 14:55 ` David Miller
1 sibling, 0 replies; 3+ messages in thread
From: Kalderon, Michal @ 2018-03-13 9:40 UTC (permalink / raw)
To: Dan Carpenter, Elior, Ariel
Cc: Dept-Eng Everest Linux L2, netdev, kernel-janitors
> From: Dan Carpenter [mailto:dan.carpenter@oracle.com]
> Sent: Tuesday, March 13, 2018 11:10 AM
> To: Elior, Ariel <Ariel.Elior@cavium.com>; Kalderon, Michal
> <Michal.Kalderon@cavium.com>
> Cc: Dept-Eng Everest Linux L2 <Dept-EngEverestLinuxL2@cavium.com>;
> netdev@vger.kernel.org; kernel-janitors@vger.kernel.org
> Subject: [PATCH net] qed: Use after free in qed_rdma_free()
>
> We're dereferencing "p_hwfn->p_rdma_info" but that is freed on the line
> before in qed_rdma_resc_free(p_hwfn).
>
> Fixes: 9de506a547c0 ("qed: Free RoCE ILT Memory on rmmod qedr")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>
> diff --git a/drivers/net/ethernet/qlogic/qed/qed_rdma.c
> b/drivers/net/ethernet/qlogic/qed/qed_rdma.c
> index f3ee6538b553..a411f9c702a1 100644
> --- a/drivers/net/ethernet/qlogic/qed/qed_rdma.c
> +++ b/drivers/net/ethernet/qlogic/qed/qed_rdma.c
> @@ -379,8 +379,8 @@ static void qed_rdma_free(struct qed_hwfn
> *p_hwfn)
> DP_VERBOSE(p_hwfn, QED_MSG_RDMA, "Freeing RDMA\n");
>
> qed_rdma_free_reserved_lkey(p_hwfn);
> - qed_rdma_resc_free(p_hwfn);
> qed_cxt_free_proto_ilt(p_hwfn, p_hwfn->p_rdma_info->proto);
> + qed_rdma_resc_free(p_hwfn);
> }
>
> static void qed_rdma_get_guid(struct qed_hwfn *p_hwfn, u8 *guid)
Thanks,
Acked-by: Michal Kalderon <Michal.Kalderon@cavium.com>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH net] qed: Use after free in qed_rdma_free()
2018-03-13 9:09 [PATCH net] qed: Use after free in qed_rdma_free() Dan Carpenter
2018-03-13 9:40 ` Kalderon, Michal
@ 2018-03-13 14:55 ` David Miller
1 sibling, 0 replies; 3+ messages in thread
From: David Miller @ 2018-03-13 14:55 UTC (permalink / raw)
To: dan.carpenter
Cc: Ariel.Elior, Michal.Kalderon, everest-linux-l2, netdev, kernel-janitors
From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Tue, 13 Mar 2018 12:09:38 +0300
> We're dereferencing "p_hwfn->p_rdma_info" but that is freed on the line
> before in qed_rdma_resc_free(p_hwfn).
>
> Fixes: 9de506a547c0 ("qed: Free RoCE ILT Memory on rmmod qedr")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Applied, thank you.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2018-03-13 14:55 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-03-13 9:09 [PATCH net] qed: Use after free in qed_rdma_free() Dan Carpenter
2018-03-13 9:40 ` Kalderon, Michal
2018-03-13 14:55 ` David Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).