diff options
| author | Shay Drory <shayd@nvidia.com> | 2023-06-14 16:26:07 +0300 |
|---|---|---|
| committer | Saeed Mahameed <saeedm@nvidia.com> | 2023-06-23 22:27:32 +0300 |
| commit | da744fd1362cd8ccf71043c62825cb88cb946886 (patch) | |
| tree | 05d0016599a052e8cd63fc838b9557e06939e0ad /drivers | |
| parent | faaa5fd30344f9a7b3816ae7a6b58ccd5a34998f (diff) | |
| download | linux-da744fd1362cd8ccf71043c62825cb88cb946886.tar.xz | |
net/mlx5: Fix UAF in mlx5_eswitch_cleanup()
mlx5_eswitch_cleanup() is using esw right after freeing it for
releasing devlink_param.
Fix it by releasing the devlink_param before freeing the esw, and
adjust the create function accordingly.
Fixes: 3f90840305e2 ("net/mlx5: Move esw multiport devlink param to eswitch code")
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Shay Drory <shayd@nvidia.com>
Reviewed-by: Automatic Verification <verifier@nvidia.com>
Reviewed-by: Gal Pressman <gal@nvidia.com>
Reviewed-by: Moshe Shemesh <moshe@nvidia.com>
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
Diffstat (limited to 'drivers')
| -rw-r--r-- | drivers/net/ethernet/mellanox/mlx5/core/eswitch.c | 18 |
1 files changed, 8 insertions, 10 deletions
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c index 5aaedbf71783..b4e465856127 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c @@ -1751,16 +1751,14 @@ int mlx5_eswitch_init(struct mlx5_core_dev *dev) if (!MLX5_VPORT_MANAGER(dev) && !MLX5_ESWITCH_MANAGER(dev)) return 0; + esw = kzalloc(sizeof(*esw), GFP_KERNEL); + if (!esw) + return -ENOMEM; + err = devl_params_register(priv_to_devlink(dev), mlx5_eswitch_params, ARRAY_SIZE(mlx5_eswitch_params)); if (err) - return err; - - esw = kzalloc(sizeof(*esw), GFP_KERNEL); - if (!esw) { - err = -ENOMEM; - goto unregister_param; - } + goto free_esw; esw->dev = dev; esw->manager_vport = mlx5_eswitch_manager_vport(dev); @@ -1821,10 +1819,10 @@ abort: if (esw->work_queue) destroy_workqueue(esw->work_queue); debugfs_remove_recursive(esw->debugfs_root); - kfree(esw); -unregister_param: devl_params_unregister(priv_to_devlink(dev), mlx5_eswitch_params, ARRAY_SIZE(mlx5_eswitch_params)); +free_esw: + kfree(esw); return err; } @@ -1848,9 +1846,9 @@ void mlx5_eswitch_cleanup(struct mlx5_eswitch *esw) esw_offloads_cleanup(esw); mlx5_esw_vports_cleanup(esw); debugfs_remove_recursive(esw->debugfs_root); - kfree(esw); devl_params_unregister(priv_to_devlink(esw->dev), mlx5_eswitch_params, ARRAY_SIZE(mlx5_eswitch_params)); + kfree(esw); } /* Vport Administration */ |