* [PATCH net-next] enetc: Fix use after free in stream_filter_unref()
@ 2020-05-05 20:47 ` Dan Carpenter
0 siblings, 0 replies; 6+ messages in thread
From: Dan Carpenter @ 2020-05-05 20:47 UTC (permalink / raw)
To: Claudiu Manoil, Po Liu; +Cc: David S. Miller, netdev, kernel-janitors
This code frees "sfi" and then dereferences it on the next line.
Fixes: 888ae5a3952b ("net: enetc: add tc flower psfp offload driver")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
drivers/net/ethernet/freescale/enetc/enetc_qos.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/freescale/enetc/enetc_qos.c b/drivers/net/ethernet/freescale/enetc/enetc_qos.c
index 48e589e9d0f7c..10d79eb46c2e8 100644
--- a/drivers/net/ethernet/freescale/enetc/enetc_qos.c
+++ b/drivers/net/ethernet/freescale/enetc/enetc_qos.c
@@ -902,8 +902,8 @@ static void stream_filter_unref(struct enetc_ndev_priv *priv, u32 index)
if (z) {
enetc_streamfilter_hw_set(priv, sfi, false);
hlist_del(&sfi->node);
- kfree(sfi);
clear_bit(sfi->index, epsfp.psfp_sfi_bitmap);
+ kfree(sfi);
}
}
--
2.26.2
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH net-next] enetc: Fix use after free in stream_filter_unref()
@ 2020-05-05 20:47 ` Dan Carpenter
0 siblings, 0 replies; 6+ messages in thread
From: Dan Carpenter @ 2020-05-05 20:47 UTC (permalink / raw)
To: Claudiu Manoil, Po Liu; +Cc: David S. Miller, netdev, kernel-janitors
This code frees "sfi" and then dereferences it on the next line.
Fixes: 888ae5a3952b ("net: enetc: add tc flower psfp offload driver")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
drivers/net/ethernet/freescale/enetc/enetc_qos.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/freescale/enetc/enetc_qos.c b/drivers/net/ethernet/freescale/enetc/enetc_qos.c
index 48e589e9d0f7c..10d79eb46c2e8 100644
--- a/drivers/net/ethernet/freescale/enetc/enetc_qos.c
+++ b/drivers/net/ethernet/freescale/enetc/enetc_qos.c
@@ -902,8 +902,8 @@ static void stream_filter_unref(struct enetc_ndev_priv *priv, u32 index)
if (z) {
enetc_streamfilter_hw_set(priv, sfi, false);
hlist_del(&sfi->node);
- kfree(sfi);
clear_bit(sfi->index, epsfp.psfp_sfi_bitmap);
+ kfree(sfi);
}
}
--
2.26.2
^ permalink raw reply related [flat|nested] 6+ messages in thread
* RE: [PATCH net-next] enetc: Fix use after free in stream_filter_unref()
2020-05-05 20:47 ` Dan Carpenter
@ 2020-05-06 4:14 ` Po Liu
-1 siblings, 0 replies; 6+ messages in thread
From: Po Liu @ 2020-05-06 4:14 UTC (permalink / raw)
To: Dan Carpenter, Claudiu Manoil; +Cc: David S. Miller, netdev, kernel-janitors
Hi Dan,
> -----Original Message-----
> From: Dan Carpenter <dan.carpenter@oracle.com>
> Sent: 2020年5月6日 4:47
> To: Claudiu Manoil <claudiu.manoil@nxp.com>; Po Liu <po.liu@nxp.com>
> Cc: David S. Miller <davem@davemloft.net>; netdev@vger.kernel.org;
> kernel-janitors@vger.kernel.org
> Subject: [PATCH net-next] enetc: Fix use after free in
> stream_filter_unref()
>
>
> This code frees "sfi" and then dereferences it on the next line.
>
> Fixes: 888ae5a3952b ("net: enetc: add tc flower psfp offload driver")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> drivers/net/ethernet/freescale/enetc/enetc_qos.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/net/ethernet/freescale/enetc/enetc_qos.c
> b/drivers/net/ethernet/freescale/enetc/enetc_qos.c
> index 48e589e9d0f7c..10d79eb46c2e8 100644
> --- a/drivers/net/ethernet/freescale/enetc/enetc_qos.c
> +++ b/drivers/net/ethernet/freescale/enetc/enetc_qos.c
> @@ -902,8 +902,8 @@ static void stream_filter_unref(struct
> enetc_ndev_priv *priv, u32 index)
> if (z) {
> enetc_streamfilter_hw_set(priv, sfi, false);
> hlist_del(&sfi->node);
> - kfree(sfi);
> clear_bit(sfi->index, epsfp.psfp_sfi_bitmap);
This "sfi->index" should be "index", but the patch is also fix it.
> + kfree(sfi);
> }
> }
>
> --
> 2.26.2
Thanks a lot.
Br,
Po Liu
^ permalink raw reply [flat|nested] 6+ messages in thread
* RE: [PATCH net-next] enetc: Fix use after free in stream_filter_unref()
@ 2020-05-06 4:14 ` Po Liu
0 siblings, 0 replies; 6+ messages in thread
From: Po Liu @ 2020-05-06 4:14 UTC (permalink / raw)
To: Dan Carpenter, Claudiu Manoil; +Cc: David S. Miller, netdev, kernel-janitors
SGkgRGFuLA0KDQoNCj4gLS0tLS1PcmlnaW5hbCBNZXNzYWdlLS0tLS0NCj4gRnJvbTogRGFuIENh
cnBlbnRlciA8ZGFuLmNhcnBlbnRlckBvcmFjbGUuY29tPg0KPiBTZW50OiAyMDIwxOo11MI2yNUg
NDo0Nw0KPiBUbzogQ2xhdWRpdSBNYW5vaWwgPGNsYXVkaXUubWFub2lsQG54cC5jb20+OyBQbyBM
aXUgPHBvLmxpdUBueHAuY29tPg0KPiBDYzogRGF2aWQgUy4gTWlsbGVyIDxkYXZlbUBkYXZlbWxv
ZnQubmV0PjsgbmV0ZGV2QHZnZXIua2VybmVsLm9yZzsNCj4ga2VybmVsLWphbml0b3JzQHZnZXIu
a2VybmVsLm9yZw0KPiBTdWJqZWN0OiBbUEFUQ0ggbmV0LW5leHRdIGVuZXRjOiBGaXggdXNlIGFm
dGVyIGZyZWUgaW4NCj4gc3RyZWFtX2ZpbHRlcl91bnJlZigpDQo+IA0KPiANCj4gVGhpcyBjb2Rl
IGZyZWVzICJzZmkiIGFuZCB0aGVuIGRlcmVmZXJlbmNlcyBpdCBvbiB0aGUgbmV4dCBsaW5lLg0K
PiANCj4gRml4ZXM6IDg4OGFlNWEzOTUyYiAoIm5ldDogZW5ldGM6IGFkZCB0YyBmbG93ZXIgcHNm
cCBvZmZsb2FkIGRyaXZlciIpDQo+IFNpZ25lZC1vZmYtYnk6IERhbiBDYXJwZW50ZXIgPGRhbi5j
YXJwZW50ZXJAb3JhY2xlLmNvbT4NCj4gLS0tDQo+ICBkcml2ZXJzL25ldC9ldGhlcm5ldC9mcmVl
c2NhbGUvZW5ldGMvZW5ldGNfcW9zLmMgfCAyICstDQo+ICAxIGZpbGUgY2hhbmdlZCwgMSBpbnNl
cnRpb24oKyksIDEgZGVsZXRpb24oLSkNCj4gDQo+IGRpZmYgLS1naXQgYS9kcml2ZXJzL25ldC9l
dGhlcm5ldC9mcmVlc2NhbGUvZW5ldGMvZW5ldGNfcW9zLmMNCj4gYi9kcml2ZXJzL25ldC9ldGhl
cm5ldC9mcmVlc2NhbGUvZW5ldGMvZW5ldGNfcW9zLmMNCj4gaW5kZXggNDhlNTg5ZTlkMGY3Yy4u
MTBkNzllYjQ2YzJlOCAxMDA2NDQNCj4gLS0tIGEvZHJpdmVycy9uZXQvZXRoZXJuZXQvZnJlZXNj
YWxlL2VuZXRjL2VuZXRjX3Fvcy5jDQo+ICsrKyBiL2RyaXZlcnMvbmV0L2V0aGVybmV0L2ZyZWVz
Y2FsZS9lbmV0Yy9lbmV0Y19xb3MuYw0KPiBAQCAtOTAyLDggKzkwMiw4IEBAIHN0YXRpYyB2b2lk
IHN0cmVhbV9maWx0ZXJfdW5yZWYoc3RydWN0DQo+IGVuZXRjX25kZXZfcHJpdiAqcHJpdiwgdTMy
IGluZGV4KQ0KPiAgICAgICAgIGlmICh6KSB7DQo+ICAgICAgICAgICAgICAgICBlbmV0Y19zdHJl
YW1maWx0ZXJfaHdfc2V0KHByaXYsIHNmaSwgZmFsc2UpOw0KPiAgICAgICAgICAgICAgICAgaGxp
c3RfZGVsKCZzZmktPm5vZGUpOw0KPiAtICAgICAgICAgICAgICAga2ZyZWUoc2ZpKTsNCj4gICAg
ICAgICAgICAgICAgIGNsZWFyX2JpdChzZmktPmluZGV4LCBlcHNmcC5wc2ZwX3NmaV9iaXRtYXAp
Ow0KDQpUaGlzICJzZmktPmluZGV4IiBzaG91bGQgYmUgImluZGV4IiwgYnV0IHRoZSBwYXRjaCBp
cyBhbHNvIGZpeCBpdC4NCg0KPiArICAgICAgICAgICAgICAga2ZyZWUoc2ZpKTsNCj4gICAgICAg
ICB9DQo+ICB9DQo+IA0KPiAtLQ0KPiAyLjI2LjINCg0KVGhhbmtzIGEgbG90Lg0KDQpCciwNClBv
IExpdQ0KDQo
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH net-next] enetc: Fix use after free in stream_filter_unref()
2020-05-05 20:47 ` Dan Carpenter
@ 2020-05-08 0:36 ` David Miller
-1 siblings, 0 replies; 6+ messages in thread
From: David Miller @ 2020-05-08 0:36 UTC (permalink / raw)
To: dan.carpenter; +Cc: claudiu.manoil, Po.Liu, netdev, kernel-janitors
From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Tue, 5 May 2020 23:47:21 +0300
> This code frees "sfi" and then dereferences it on the next line.
>
> Fixes: 888ae5a3952b ("net: enetc: add tc flower psfp offload driver")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
This was fixed in another patch by using the local variable 'index'.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH net-next] enetc: Fix use after free in stream_filter_unref()
@ 2020-05-08 0:36 ` David Miller
0 siblings, 0 replies; 6+ messages in thread
From: David Miller @ 2020-05-08 0:36 UTC (permalink / raw)
To: dan.carpenter; +Cc: claudiu.manoil, Po.Liu, netdev, kernel-janitors
From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Tue, 5 May 2020 23:47:21 +0300
> This code frees "sfi" and then dereferences it on the next line.
>
> Fixes: 888ae5a3952b ("net: enetc: add tc flower psfp offload driver")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
This was fixed in another patch by using the local variable 'index'.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2020-05-08 0:36 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-05-05 20:47 [PATCH net-next] enetc: Fix use after free in stream_filter_unref() Dan Carpenter
2020-05-05 20:47 ` Dan Carpenter
2020-05-08 0:36 ` David Miller
2020-05-08 0:36 ` David Miller
2020-05-06 4:14 Po Liu
2020-05-06 4:14 ` Po Liu
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.