[PATCH] net/mlx5e/core/en_fs: fix pointer dereference after free in mlx5e_execute_l2

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH] net/mlx5e/core/en_fs: fix pointer dereference after free in mlx5e_execute_l2_action
@ 2017-11-05  3:54 Gustavo A. R. Silva
       [not found] ` <20171105035453.GA10908-L1vi/lXTdts+Va1GwOuvDg@public.gmane.org>
  0 siblings, 1 reply; 8+ messages in thread
From: Gustavo A. R. Silva @ 2017-11-05  3:54 UTC (permalink / raw)
  To: Saeed Mahameed, Matan Barak, Leon Romanovsky
  Cc: netdev, linux-rdma, linux-kernel, Gustavo A. R. Silva

hn is being kfree'd in mlx5e_del_l2_from_hash and then dereferenced
by accessing hn->ai.addr

Fix this by copying the MAC address into a local variable for its safe use
in all possible execution paths within function mlx5e_execute_l2_action.

Addresses-Coverity-ID: 1417789
Fixes: eeb66cdb6826 ("net/mlx5: Separate between E-Switch and MPFS")
Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com>
---
 drivers/net/ethernet/mellanox/mlx5/core/en_fs.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_fs.c b/drivers/net/ethernet/mellanox/mlx5/core/en_fs.c
index 850cdc9..4837045 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_fs.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_fs.c
@@ -365,21 +365,24 @@ static void mlx5e_execute_l2_action(struct mlx5e_priv *priv,
 				    struct mlx5e_l2_hash_node *hn)
 {
 	u8 action = hn->action;
+	u8 mac_addr[ETH_ALEN];
 	int l2_err = 0;
 
+	ether_addr_copy(mac_addr, hn->ai.addr);
+
 	switch (action) {
 	case MLX5E_ACTION_ADD:
 		mlx5e_add_l2_flow_rule(priv, &hn->ai, MLX5E_FULLMATCH);
-		if (!is_multicast_ether_addr(hn->ai.addr)) {
-			l2_err = mlx5_mpfs_add_mac(priv->mdev, hn->ai.addr);
+		if (!is_multicast_ether_addr(mac_addr)) {
+			l2_err = mlx5_mpfs_add_mac(priv->mdev, mac_addr);
 			hn->mpfs = !l2_err;
 		}
 		hn->action = MLX5E_ACTION_NONE;
 		break;
 
 	case MLX5E_ACTION_DEL:
-		if (!is_multicast_ether_addr(hn->ai.addr) && hn->mpfs)
-			l2_err = mlx5_mpfs_del_mac(priv->mdev, hn->ai.addr);
+		if (!is_multicast_ether_addr(mac_addr) && hn->mpfs)
+			l2_err = mlx5_mpfs_del_mac(priv->mdev, mac_addr);
 		mlx5e_del_l2_flow_rule(priv, &hn->ai);
 		mlx5e_del_l2_from_hash(hn);
 		break;
@@ -387,7 +390,7 @@ static void mlx5e_execute_l2_action(struct mlx5e_priv *priv,
 
 	if (l2_err)
 		netdev_warn(priv->netdev, "MPFS, failed to %s mac %pM, err(%d)\n",
-			    action == MLX5E_ACTION_ADD ? "add" : "del", hn->ai.addr, l2_err);
+			    action == MLX5E_ACTION_ADD ? "add" : "del", mac_addr, l2_err);
 }
 
 static void mlx5e_sync_netdev_addr(struct mlx5e_priv *priv)
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 8+ messages in thread

[parent not found: <20171105035453.GA10908-L1vi/lXTdts+Va1GwOuvDg@public.gmane.org>]

* Re: [PATCH] net/mlx5e/core/en_fs: fix pointer dereference after free in mlx5e_execute_l2_action
  2017-11-05  3:54 [PATCH] net/mlx5e/core/en_fs: fix pointer dereference after free in mlx5e_execute_l2_action Gustavo A. R. Silva
@ 2017-11-05  4:43     ` Saeed Mahameed
  0 siblings, 0 replies; 8+ messages in thread
From: Saeed Mahameed @ 2017-11-05  4:43 UTC (permalink / raw)
  To: Gustavo A. R. Silva
  Cc: Saeed Mahameed, Matan Barak, Leon Romanovsky, Linux Netdev List,
	linux-rdma-u79uwXL29TY76Z2rM5mHXA, linux-kernel, Jes Sorensen,
	Martin KaFai Lau

On Sat, Nov 4, 2017 at 8:54 PM, Gustavo A. R. Silva
<garsilva-L1vi/lXTdts+Va1GwOuvDg@public.gmane.org> wrote:
> hn is being kfree'd in mlx5e_del_l2_from_hash and then dereferenced
> by accessing hn->ai.addr
>
> Fix this by copying the MAC address into a local variable for its safe use
> in all possible execution paths within function mlx5e_execute_l2_action.
>
> Addresses-Coverity-ID: 1417789
> Fixes: eeb66cdb6826 ("net/mlx5: Separate between E-Switch and MPFS")
> Signed-off-by: Gustavo A. R. Silva <garsilva-L1vi/lXTdts+Va1GwOuvDg@public.gmane.org>

Acked-by: Saeed Mahameed <saeedm-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>

Looks good.
Thank you Gustavo.

> ---
>  drivers/net/ethernet/mellanox/mlx5/core/en_fs.c | 13 ++++++++-----
>  1 file changed, 8 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_fs.c b/drivers/net/ethernet/mellanox/mlx5/core/en_fs.c
> index 850cdc9..4837045 100644
> --- a/drivers/net/ethernet/mellanox/mlx5/core/en_fs.c
> +++ b/drivers/net/ethernet/mellanox/mlx5/core/en_fs.c
> @@ -365,21 +365,24 @@ static void mlx5e_execute_l2_action(struct mlx5e_priv *priv,
>                                     struct mlx5e_l2_hash_node *hn)
>  {
>         u8 action = hn->action;
> +       u8 mac_addr[ETH_ALEN];
>         int l2_err = 0;
>
> +       ether_addr_copy(mac_addr, hn->ai.addr);
> +
>         switch (action) {
>         case MLX5E_ACTION_ADD:
>                 mlx5e_add_l2_flow_rule(priv, &hn->ai, MLX5E_FULLMATCH);
> -               if (!is_multicast_ether_addr(hn->ai.addr)) {
> -                       l2_err = mlx5_mpfs_add_mac(priv->mdev, hn->ai.addr);
> +               if (!is_multicast_ether_addr(mac_addr)) {
> +                       l2_err = mlx5_mpfs_add_mac(priv->mdev, mac_addr);
>                         hn->mpfs = !l2_err;
>                 }
>                 hn->action = MLX5E_ACTION_NONE;
>                 break;
>
>         case MLX5E_ACTION_DEL:
> -               if (!is_multicast_ether_addr(hn->ai.addr) && hn->mpfs)
> -                       l2_err = mlx5_mpfs_del_mac(priv->mdev, hn->ai.addr);
> +               if (!is_multicast_ether_addr(mac_addr) && hn->mpfs)
> +                       l2_err = mlx5_mpfs_del_mac(priv->mdev, mac_addr);
>                 mlx5e_del_l2_flow_rule(priv, &hn->ai);
>                 mlx5e_del_l2_from_hash(hn);
>                 break;
> @@ -387,7 +390,7 @@ static void mlx5e_execute_l2_action(struct mlx5e_priv *priv,
>
>         if (l2_err)
>                 netdev_warn(priv->netdev, "MPFS, failed to %s mac %pM, err(%d)\n",
> -                           action == MLX5E_ACTION_ADD ? "add" : "del", hn->ai.addr, l2_err);
> +                           action == MLX5E_ACTION_ADD ? "add" : "del", mac_addr, l2_err);
>  }
>
>  static void mlx5e_sync_netdev_addr(struct mlx5e_priv *priv)
> --
> 2.7.4
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
> the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH] net/mlx5e/core/en_fs: fix pointer dereference after free in mlx5e_execute_l2_action
@ 2017-11-05  4:43     ` Saeed Mahameed
  0 siblings, 0 replies; 8+ messages in thread
From: Saeed Mahameed @ 2017-11-05  4:43 UTC (permalink / raw)
  To: Gustavo A. R. Silva
  Cc: Saeed Mahameed, Matan Barak, Leon Romanovsky, Linux Netdev List,
	linux-rdma, linux-kernel, Jes Sorensen, Martin KaFai Lau

On Sat, Nov 4, 2017 at 8:54 PM, Gustavo A. R. Silva
<garsilva@embeddedor.com> wrote:
> hn is being kfree'd in mlx5e_del_l2_from_hash and then dereferenced
> by accessing hn->ai.addr
>
> Fix this by copying the MAC address into a local variable for its safe use
> in all possible execution paths within function mlx5e_execute_l2_action.
>
> Addresses-Coverity-ID: 1417789
> Fixes: eeb66cdb6826 ("net/mlx5: Separate between E-Switch and MPFS")
> Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com>

Acked-by: Saeed Mahameed <saeedm@mellanox.com>

Looks good.
Thank you Gustavo.

> ---
>  drivers/net/ethernet/mellanox/mlx5/core/en_fs.c | 13 ++++++++-----
>  1 file changed, 8 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_fs.c b/drivers/net/ethernet/mellanox/mlx5/core/en_fs.c
> index 850cdc9..4837045 100644
> --- a/drivers/net/ethernet/mellanox/mlx5/core/en_fs.c
> +++ b/drivers/net/ethernet/mellanox/mlx5/core/en_fs.c
> @@ -365,21 +365,24 @@ static void mlx5e_execute_l2_action(struct mlx5e_priv *priv,
>                                     struct mlx5e_l2_hash_node *hn)
>  {
>         u8 action = hn->action;
> +       u8 mac_addr[ETH_ALEN];
>         int l2_err = 0;
>
> +       ether_addr_copy(mac_addr, hn->ai.addr);
> +
>         switch (action) {
>         case MLX5E_ACTION_ADD:
>                 mlx5e_add_l2_flow_rule(priv, &hn->ai, MLX5E_FULLMATCH);
> -               if (!is_multicast_ether_addr(hn->ai.addr)) {
> -                       l2_err = mlx5_mpfs_add_mac(priv->mdev, hn->ai.addr);
> +               if (!is_multicast_ether_addr(mac_addr)) {
> +                       l2_err = mlx5_mpfs_add_mac(priv->mdev, mac_addr);
>                         hn->mpfs = !l2_err;
>                 }
>                 hn->action = MLX5E_ACTION_NONE;
>                 break;
>
>         case MLX5E_ACTION_DEL:
> -               if (!is_multicast_ether_addr(hn->ai.addr) && hn->mpfs)
> -                       l2_err = mlx5_mpfs_del_mac(priv->mdev, hn->ai.addr);
> +               if (!is_multicast_ether_addr(mac_addr) && hn->mpfs)
> +                       l2_err = mlx5_mpfs_del_mac(priv->mdev, mac_addr);
>                 mlx5e_del_l2_flow_rule(priv, &hn->ai);
>                 mlx5e_del_l2_from_hash(hn);
>                 break;
> @@ -387,7 +390,7 @@ static void mlx5e_execute_l2_action(struct mlx5e_priv *priv,
>
>         if (l2_err)
>                 netdev_warn(priv->netdev, "MPFS, failed to %s mac %pM, err(%d)\n",
> -                           action == MLX5E_ACTION_ADD ? "add" : "del", hn->ai.addr, l2_err);
> +                           action == MLX5E_ACTION_ADD ? "add" : "del", mac_addr, l2_err);
>  }
>
>  static void mlx5e_sync_netdev_addr(struct mlx5e_priv *priv)
> --
> 2.7.4
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 8+ messages in thread

[parent not found: <CALzJLG-YW_5AH__q2XHgaQM=xeLy+31LSeQdPAs7RhS=rLpJPw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>]

* Re: [PATCH] net/mlx5e/core/en_fs: fix pointer dereference after free in mlx5e_execute_l2_action
  2017-11-05  4:43     ` Saeed Mahameed
@ 2017-11-06  0:45         ` Gustavo A. R. Silva
  -1 siblings, 0 replies; 8+ messages in thread
From: Gustavo A. R. Silva @ 2017-11-06  0:45 UTC (permalink / raw)
  To: Saeed Mahameed
  Cc: Saeed Mahameed, Matan Barak, Leon Romanovsky, Linux Netdev List,
	linux-rdma-u79uwXL29TY76Z2rM5mHXA, linux-kernel, Jes Sorensen,
	Martin KaFai Lau

Hi Saeed,

Quoting Saeed Mahameed <saeedm-LDSdmyG8hGV8YrgS2mwiifqBs+8SCbDb@public.gmane.org>:

> On Sat, Nov 4, 2017 at 8:54 PM, Gustavo A. R. Silva
> <garsilva-L1vi/lXTdts+Va1GwOuvDg@public.gmane.org> wrote:
>> hn is being kfree'd in mlx5e_del_l2_from_hash and then dereferenced
>> by accessing hn->ai.addr
>>
>> Fix this by copying the MAC address into a local variable for its safe use
>> in all possible execution paths within function mlx5e_execute_l2_action.
>>
>> Addresses-Coverity-ID: 1417789
>> Fixes: eeb66cdb6826 ("net/mlx5: Separate between E-Switch and MPFS")
>> Signed-off-by: Gustavo A. R. Silva <garsilva-L1vi/lXTdts+Va1GwOuvDg@public.gmane.org>
>
> Acked-by: Saeed Mahameed <saeedm-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
>
> Looks good.
> Thank you Gustavo.
>

Glad to help.

Thanks
--
Gustavo A. R. Silva





--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH] net/mlx5e/core/en_fs: fix pointer dereference after free in mlx5e_execute_l2_action
@ 2017-11-06  0:45         ` Gustavo A. R. Silva
  0 siblings, 0 replies; 8+ messages in thread
From: Gustavo A. R. Silva @ 2017-11-06  0:45 UTC (permalink / raw)
  To: Saeed Mahameed
  Cc: Saeed Mahameed, Matan Barak, Leon Romanovsky, Linux Netdev List,
	linux-rdma, linux-kernel, Jes Sorensen, Martin KaFai Lau

Hi Saeed,

Quoting Saeed Mahameed <saeedm@dev.mellanox.co.il>:

> On Sat, Nov 4, 2017 at 8:54 PM, Gustavo A. R. Silva
> <garsilva@embeddedor.com> wrote:
>> hn is being kfree'd in mlx5e_del_l2_from_hash and then dereferenced
>> by accessing hn->ai.addr
>>
>> Fix this by copying the MAC address into a local variable for its safe use
>> in all possible execution paths within function mlx5e_execute_l2_action.
>>
>> Addresses-Coverity-ID: 1417789
>> Fixes: eeb66cdb6826 ("net/mlx5: Separate between E-Switch and MPFS")
>> Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com>
>
> Acked-by: Saeed Mahameed <saeedm@mellanox.com>
>
> Looks good.
> Thank you Gustavo.
>

Glad to help.

Thanks
--
Gustavo A. R. Silva

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH] net/mlx5e/core/en_fs: fix pointer dereference after free in mlx5e_execute_l2_action
  2017-11-05  3:54 [PATCH] net/mlx5e/core/en_fs: fix pointer dereference after free in mlx5e_execute_l2_action Gustavo A. R. Silva
@ 2017-11-08  2:00     ` David Miller
  0 siblings, 0 replies; 8+ messages in thread
From: David Miller @ 2017-11-08  2:00 UTC (permalink / raw)
  To: garsilva-L1vi/lXTdts+Va1GwOuvDg
  Cc: saeedm-VPRAkNaXOzVWk0Htik3J/w, matanb-VPRAkNaXOzVWk0Htik3J/w,
	leonro-VPRAkNaXOzVWk0Htik3J/w, netdev-u79uwXL29TY76Z2rM5mHXA,
	linux-rdma-u79uwXL29TY76Z2rM5mHXA,
	linux-kernel-u79uwXL29TY76Z2rM5mHXA

From: "Gustavo A. R. Silva" <garsilva-L1vi/lXTdts+Va1GwOuvDg@public.gmane.org>
Date: Sat, 4 Nov 2017 22:54:53 -0500

> hn is being kfree'd in mlx5e_del_l2_from_hash and then dereferenced
> by accessing hn->ai.addr
> 
> Fix this by copying the MAC address into a local variable for its safe use
> in all possible execution paths within function mlx5e_execute_l2_action.
> 
> Addresses-Coverity-ID: 1417789
> Fixes: eeb66cdb6826 ("net/mlx5: Separate between E-Switch and MPFS")
> Signed-off-by: Gustavo A. R. Silva <garsilva-L1vi/lXTdts+Va1GwOuvDg@public.gmane.org>

Applied and queued up for -stable, thanks.
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH] net/mlx5e/core/en_fs: fix pointer dereference after free in mlx5e_execute_l2_action
@ 2017-11-08  2:00     ` David Miller
  0 siblings, 0 replies; 8+ messages in thread
From: David Miller @ 2017-11-08  2:00 UTC (permalink / raw)
  To: garsilva; +Cc: saeedm, matanb, leonro, netdev, linux-rdma, linux-kernel

From: "Gustavo A. R. Silva" <garsilva@embeddedor.com>
Date: Sat, 4 Nov 2017 22:54:53 -0500

> hn is being kfree'd in mlx5e_del_l2_from_hash and then dereferenced
> by accessing hn->ai.addr
> 
> Fix this by copying the MAC address into a local variable for its safe use
> in all possible execution paths within function mlx5e_execute_l2_action.
> 
> Addresses-Coverity-ID: 1417789
> Fixes: eeb66cdb6826 ("net/mlx5: Separate between E-Switch and MPFS")
> Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com>

Applied and queued up for -stable, thanks.

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH] net/mlx5e/core/en_fs: fix pointer dereference after free in mlx5e_execute_l2_action
  2017-11-08  2:00     ` David Miller
  (?)
@ 2017-11-08 20:55     ` Gustavo A. R. Silva
  -1 siblings, 0 replies; 8+ messages in thread
From: Gustavo A. R. Silva @ 2017-11-08 20:55 UTC (permalink / raw)
  To: David Miller; +Cc: saeedm, matanb, leonro, netdev, linux-rdma, linux-kernel


Quoting David Miller <davem@davemloft.net>:

> From: "Gustavo A. R. Silva" <garsilva@embeddedor.com>
> Date: Sat, 4 Nov 2017 22:54:53 -0500
>
>> hn is being kfree'd in mlx5e_del_l2_from_hash and then dereferenced
>> by accessing hn->ai.addr
>>
>> Fix this by copying the MAC address into a local variable for its safe use
>> in all possible execution paths within function mlx5e_execute_l2_action.
>>
>> Addresses-Coverity-ID: 1417789
>> Fixes: eeb66cdb6826 ("net/mlx5: Separate between E-Switch and MPFS")
>> Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com>
>
> Applied and queued up for -stable, thanks.

Awesome. Thanks!

--
Gustavo A. R. Silva

^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2017-11-08 20:55 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-11-05  3:54 [PATCH] net/mlx5e/core/en_fs: fix pointer dereference after free in mlx5e_execute_l2_action Gustavo A. R. Silva
     [not found] ` <20171105035453.GA10908-L1vi/lXTdts+Va1GwOuvDg@public.gmane.org>
2017-11-05  4:43   ` Saeed Mahameed
2017-11-05  4:43     ` Saeed Mahameed
     [not found]     ` <CALzJLG-YW_5AH__q2XHgaQM=xeLy+31LSeQdPAs7RhS=rLpJPw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-11-06  0:45       ` Gustavo A. R. Silva
2017-11-06  0:45         ` Gustavo A. R. Silva
2017-11-08  2:00   ` David Miller
2017-11-08  2:00     ` David Miller
2017-11-08 20:55     ` Gustavo A. R. Silva

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.