* [PATCH net-next] enetc: Fix use after free in stream_filter_unref()
@ 2020-05-05 20:47 Dan Carpenter
2020-05-08 0:36 ` David Miller
0 siblings, 1 reply; 3+ messages in thread
From: Dan Carpenter @ 2020-05-05 20:47 UTC (permalink / raw)
To: Claudiu Manoil, Po Liu; +Cc: David S. Miller, netdev, kernel-janitors
This code frees "sfi" and then dereferences it on the next line.
Fixes: 888ae5a3952b ("net: enetc: add tc flower psfp offload driver")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
drivers/net/ethernet/freescale/enetc/enetc_qos.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/freescale/enetc/enetc_qos.c b/drivers/net/ethernet/freescale/enetc/enetc_qos.c
index 48e589e9d0f7c..10d79eb46c2e8 100644
--- a/drivers/net/ethernet/freescale/enetc/enetc_qos.c
+++ b/drivers/net/ethernet/freescale/enetc/enetc_qos.c
@@ -902,8 +902,8 @@ static void stream_filter_unref(struct enetc_ndev_priv *priv, u32 index)
if (z) {
enetc_streamfilter_hw_set(priv, sfi, false);
hlist_del(&sfi->node);
- kfree(sfi);
clear_bit(sfi->index, epsfp.psfp_sfi_bitmap);
+ kfree(sfi);
}
}
--
2.26.2
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH net-next] enetc: Fix use after free in stream_filter_unref()
2020-05-05 20:47 [PATCH net-next] enetc: Fix use after free in stream_filter_unref() Dan Carpenter
@ 2020-05-08 0:36 ` David Miller
0 siblings, 0 replies; 3+ messages in thread
From: David Miller @ 2020-05-08 0:36 UTC (permalink / raw)
To: dan.carpenter; +Cc: claudiu.manoil, Po.Liu, netdev, kernel-janitors
From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Tue, 5 May 2020 23:47:21 +0300
> This code frees "sfi" and then dereferences it on the next line.
>
> Fixes: 888ae5a3952b ("net: enetc: add tc flower psfp offload driver")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
This was fixed in another patch by using the local variable 'index'.
^ permalink raw reply [flat|nested] 3+ messages in thread
* RE: [PATCH net-next] enetc: Fix use after free in stream_filter_unref()
@ 2020-05-06 4:14 Po Liu
0 siblings, 0 replies; 3+ messages in thread
From: Po Liu @ 2020-05-06 4:14 UTC (permalink / raw)
To: Dan Carpenter, Claudiu Manoil; +Cc: David S. Miller, netdev, kernel-janitors
Hi Dan,
> -----Original Message-----
> From: Dan Carpenter <dan.carpenter@oracle.com>
> Sent: 2020年5月6日 4:47
> To: Claudiu Manoil <claudiu.manoil@nxp.com>; Po Liu <po.liu@nxp.com>
> Cc: David S. Miller <davem@davemloft.net>; netdev@vger.kernel.org;
> kernel-janitors@vger.kernel.org
> Subject: [PATCH net-next] enetc: Fix use after free in
> stream_filter_unref()
>
>
> This code frees "sfi" and then dereferences it on the next line.
>
> Fixes: 888ae5a3952b ("net: enetc: add tc flower psfp offload driver")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> drivers/net/ethernet/freescale/enetc/enetc_qos.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/net/ethernet/freescale/enetc/enetc_qos.c
> b/drivers/net/ethernet/freescale/enetc/enetc_qos.c
> index 48e589e9d0f7c..10d79eb46c2e8 100644
> --- a/drivers/net/ethernet/freescale/enetc/enetc_qos.c
> +++ b/drivers/net/ethernet/freescale/enetc/enetc_qos.c
> @@ -902,8 +902,8 @@ static void stream_filter_unref(struct
> enetc_ndev_priv *priv, u32 index)
> if (z) {
> enetc_streamfilter_hw_set(priv, sfi, false);
> hlist_del(&sfi->node);
> - kfree(sfi);
> clear_bit(sfi->index, epsfp.psfp_sfi_bitmap);
This "sfi->index" should be "index", but the patch is also fix it.
> + kfree(sfi);
> }
> }
>
> --
> 2.26.2
Thanks a lot.
Br,
Po Liu
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-05-08 0:36 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-05-05 20:47 [PATCH net-next] enetc: Fix use after free in stream_filter_unref() Dan Carpenter
2020-05-08 0:36 ` David Miller
2020-05-06 4:14 Po Liu
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).