From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Parav Pandit <parav@mellanox.com>,
Mark Bloch <markb@mellanox.com>,
Saeed Mahameed <saeedm@mellanox.com>
Subject: [PATCH 5.0 20/36] net/mlx5: Avoid double free in fs init error unwinding path
Date: Mon, 3 Jun 2019 11:09:08 +0200 [thread overview]
Message-ID: <20190603090522.324158521@linuxfoundation.org> (raw)
In-Reply-To: <20190603090520.998342694@linuxfoundation.org>
From: Parav Pandit <parav@mellanox.com>
[ Upstream commit 9414277a5df3669c67e818708c0f881597e0118e ]
In below code flow, for ingress acl table root ns memory leads
to double free.
mlx5_init_fs
init_ingress_acls_root_ns()
init_ingress_acl_root_ns
kfree(steering->esw_ingress_root_ns);
/* steering->esw_ingress_root_ns is not marked NULL */
mlx5_cleanup_fs
cleanup_ingress_acls_root_ns
steering->esw_ingress_root_ns non NULL check passes.
kfree(steering->esw_ingress_root_ns);
/* double free */
Similar issue exist for other tables.
Hence zero out the pointers to not process the table again.
Fixes: 9b93ab981e3bf ("net/mlx5: Separate ingress/egress namespaces for each vport")
Fixes: 40c3eebb49e51 ("net/mlx5: Add support in RDMA RX steering")
Signed-off-by: Parav Pandit <parav@mellanox.com>
Reviewed-by: Mark Bloch <markb@mellanox.com>
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
@@ -2390,6 +2390,7 @@ static void cleanup_egress_acls_root_ns(
cleanup_root_ns(steering->esw_egress_root_ns[i]);
kfree(steering->esw_egress_root_ns);
+ steering->esw_egress_root_ns = NULL;
}
static void cleanup_ingress_acls_root_ns(struct mlx5_core_dev *dev)
@@ -2404,6 +2405,7 @@ static void cleanup_ingress_acls_root_ns
cleanup_root_ns(steering->esw_ingress_root_ns[i]);
kfree(steering->esw_ingress_root_ns);
+ steering->esw_ingress_root_ns = NULL;
}
void mlx5_cleanup_fs(struct mlx5_core_dev *dev)
@@ -2572,6 +2574,7 @@ cleanup_root_ns:
for (i--; i >= 0; i--)
cleanup_root_ns(steering->esw_egress_root_ns[i]);
kfree(steering->esw_egress_root_ns);
+ steering->esw_egress_root_ns = NULL;
return err;
}
@@ -2599,6 +2602,7 @@ cleanup_root_ns:
for (i--; i >= 0; i--)
cleanup_root_ns(steering->esw_ingress_root_ns[i]);
kfree(steering->esw_ingress_root_ns);
+ steering->esw_ingress_root_ns = NULL;
return err;
}
next prev parent reply other threads:[~2019-06-03 9:11 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-03 9:08 [PATCH 5.0 00/36] 5.0.21-stable review Greg Kroah-Hartman
2019-06-03 9:08 ` [PATCH 5.0 01/36] bonding/802.3ad: fix slave link initialization transition states Greg Kroah-Hartman
2019-06-03 9:08 ` [PATCH 5.0 02/36] cxgb4: offload VLAN flows regardless of VLAN ethtype Greg Kroah-Hartman
2019-06-03 9:08 ` [PATCH 5.0 03/36] inet: switch IP ID generator to siphash Greg Kroah-Hartman
2019-06-03 9:08 ` [PATCH 5.0 04/36] ipv4/igmp: fix another memory leak in igmpv3_del_delrec() Greg Kroah-Hartman
2019-06-03 9:08 ` [PATCH 5.0 05/36] ipv4/igmp: fix build error if !CONFIG_IP_MULTICAST Greg Kroah-Hartman
2019-06-03 9:08 ` [PATCH 5.0 06/36] ipv6: Consider sk_bound_dev_if when binding a raw socket to an address Greg Kroah-Hartman
2019-06-03 9:08 ` [PATCH 5.0 07/36] ipv6: Fix redirect with VRF Greg Kroah-Hartman
2019-06-03 9:08 ` [PATCH 5.0 08/36] llc: fix skb leak in llc_build_and_send_ui_pkt() Greg Kroah-Hartman
2019-06-03 9:08 ` [PATCH 5.0 09/36] mlxsw: spectrum_acl: Avoid warning after identical rules insertion Greg Kroah-Hartman
2019-06-03 9:08 ` [PATCH 5.0 10/36] net: dsa: mv88e6xxx: fix handling of upper half of STATS_TYPE_PORT Greg Kroah-Hartman
2019-06-03 9:08 ` [PATCH 5.0 11/36] net: fec: fix the clk mismatch in failed_reset path Greg Kroah-Hartman
2019-06-03 9:09 ` [PATCH 5.0 12/36] net-gro: fix use-after-free read in napi_gro_frags() Greg Kroah-Hartman
2019-06-03 9:09 ` [PATCH 5.0 13/36] net: mvneta: Fix err code path of probe Greg Kroah-Hartman
2019-06-03 9:09 ` [PATCH 5.0 14/36] net: mvpp2: fix bad MVPP2_TXQ_SCHED_TOKEN_CNTR_REG queue value Greg Kroah-Hartman
2019-06-03 9:09 ` [PATCH 5.0 15/36] net: phy: marvell10g: report if the PHY fails to boot firmware Greg Kroah-Hartman
2019-06-03 9:09 ` [PATCH 5.0 16/36] net: sched: dont use tc_action->order during action dump Greg Kroah-Hartman
2019-06-03 9:09 ` [PATCH 5.0 17/36] net: stmmac: fix reset gpio free missing Greg Kroah-Hartman
2019-06-03 9:09 ` [PATCH 5.0 18/36] r8169: fix MAC address being lost in PCI D3 Greg Kroah-Hartman
2019-06-03 9:09 ` [PATCH 5.0 19/36] usbnet: fix kernel crash after disconnect Greg Kroah-Hartman
2019-06-03 9:09 ` Greg Kroah-Hartman [this message]
2019-06-03 9:09 ` [PATCH 5.0 21/36] tipc: Avoid copying bytes beyond the supplied data Greg Kroah-Hartman
2019-06-03 9:09 ` [PATCH 5.0 22/36] net/mlx5: Allocate root ns memory using kzalloc to match kfree Greg Kroah-Hartman
2019-06-03 9:09 ` [PATCH 5.0 23/36] net/mlx5e: Disable rxhash when CQE compress is enabled Greg Kroah-Hartman
2019-06-03 9:09 ` [PATCH 5.0 25/36] net: stmmac: dma channel control register need to be init first Greg Kroah-Hartman
2019-06-03 9:09 ` [PATCH 5.0 26/36] bnxt_en: Fix aggregation buffer leak under OOM condition Greg Kroah-Hartman
2019-06-03 9:09 ` [PATCH 5.0 27/36] bnxt_en: Fix possible BUG() condition when calling pci_disable_msix() Greg Kroah-Hartman
2019-06-03 9:09 ` [PATCH 5.0 28/36] bnxt_en: Reduce memory usage when running in kdump kernel Greg Kroah-Hartman
2019-06-03 9:09 ` [PATCH 5.0 29/36] net/tls: fix state removal with feature flags off Greg Kroah-Hartman
2019-06-03 9:09 ` [PATCH 5.0 30/36] net/tls: dont ignore netdev notifications if no TLS features Greg Kroah-Hartman
2019-06-03 9:09 ` [PATCH 5.0 31/36] cxgb4: Revert "cxgb4: Remove SGE_HOST_PAGE_SIZE dependency on page size" Greg Kroah-Hartman
2019-06-03 9:09 ` [PATCH 5.0 32/36] net: correct zerocopy refcnt with udp MSG_MORE Greg Kroah-Hartman
2019-06-03 9:09 ` [PATCH 5.0 33/36] crypto: vmx - ghash: do nosimd fallback manually Greg Kroah-Hartman
2019-06-03 9:09 ` [PATCH 5.0 34/36] xen/pciback: Dont disable PCI_COMMAND on PCI device reset Greg Kroah-Hartman
2019-06-03 9:09 ` [PATCH 5.0 35/36] Revert "tipc: fix modprobe tipc failed after switch order of device registration" Greg Kroah-Hartman
2019-06-03 9:09 ` [PATCH 5.0 36/36] tipc: fix modprobe tipc failed after switch order of device registration Greg Kroah-Hartman
2019-06-03 15:09 ` [PATCH 5.0 00/36] 5.0.21-stable review kernelci.org bot
2019-06-03 17:17 ` Guenter Roeck
2019-06-03 17:59 ` Naresh Kamboju
2019-06-03 18:33 ` Jon Hunter
2019-06-03 18:33 ` Jon Hunter
2019-06-03 23:32 ` shuah
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190603090522.324158521@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=markb@mellanox.com \
--cc=parav@mellanox.com \
--cc=saeedm@mellanox.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.