summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDinghao Liu <dinghao.liu@zju.edu.cn>2023-12-10 12:52:55 +0800
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2023-12-20 15:32:33 +0100
commiteb2105fb9dd6fdca42cba3d36aa6ba37f1eb5cdf (patch)
treee6b596437a075e3aa96b748421dfa508f4fea403
parent02af3c8ab5cda2633b187bd18b5dc2b9f0af0859 (diff)
downloadlinux-stable-eb2105fb9dd6fdca42cba3d36aa6ba37f1eb5cdf.tar.gz
linux-stable-eb2105fb9dd6fdca42cba3d36aa6ba37f1eb5cdf.tar.bz2
linux-stable-eb2105fb9dd6fdca42cba3d36aa6ba37f1eb5cdf.zip
qed: Fix a potential use-after-free in qed_cxt_tables_alloc
[ Upstream commit b65d52ac9c085c0c52dee012a210d4e2f352611b ] qed_ilt_shadow_alloc() will call qed_ilt_shadow_free() to free p_hwfn->p_cxt_mngr->ilt_shadow on error. However, qed_cxt_tables_alloc() accesses the freed pointer on failure of qed_ilt_shadow_alloc() through calling qed_cxt_mngr_free(), which may lead to use-after-free. Fix this issue by setting p_mngr->ilt_shadow to NULL in qed_ilt_shadow_free(). Fixes: fe56b9e6a8d9 ("qed: Add module with basic common support") Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com> Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn> Link: https://lore.kernel.org/r/20231210045255.21383-1-dinghao.liu@zju.edu.cn Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat
-rw-r--r--drivers/net/ethernet/qlogic/qed/qed_cxt.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/drivers/net/ethernet/qlogic/qed/qed_cxt.c b/drivers/net/ethernet/qlogic/qed/qed_cxt.c
index 4fc3468f6f38..6e8f894dcc13 100644
--- a/drivers/net/ethernet/qlogic/qed/qed_cxt.c
+++ b/drivers/net/ethernet/qlogic/qed/qed_cxt.c
@@ -1024,6 +1024,7 @@ static void qed_ilt_shadow_free(struct qed_hwfn *p_hwfn)
p_dma->p_virt = NULL;
}
kfree(p_mngr->ilt_shadow);
+ p_mngr->ilt_shadow = NULL;
}
static int qed_ilt_blk_alloc(struct qed_hwfn *p_hwfn,
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-08 17:16:35 +0000