[net-next V2 01/15] net/mlx5: Fix UAF in mlx5_eswitch_cleanup()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Saeed Mahameed <saeed@kernel.org>
To: "David S. Miller" <davem@davemloft.net>,
	Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
	Eric Dumazet <edumazet@google.com>
Cc: Saeed Mahameed <saeedm@nvidia.com>,
	netdev@vger.kernel.org, Tariq Toukan <tariqt@nvidia.com>,
	Shay Drory <shayd@nvidia.com>,
	Dan Carpenter <dan.carpenter@linaro.org>,
	Automatic Verification <verifier@nvidia.com>,
	Gal Pressman <gal@nvidia.com>, Moshe Shemesh <moshe@nvidia.com>
Subject: [net-next V2 01/15] net/mlx5: Fix UAF in mlx5_eswitch_cleanup()
Date: Fri, 23 Jun 2023 12:28:53 -0700	[thread overview]
Message-ID: <20230623192907.39033-2-saeed@kernel.org> (raw)
In-Reply-To: <20230623192907.39033-1-saeed@kernel.org>

From: Shay Drory <shayd@nvidia.com>

mlx5_eswitch_cleanup() is using esw right after freeing it for
releasing devlink_param.
Fix it by releasing the devlink_param before freeing the esw, and
adjust the create function accordingly.

Fixes: 3f90840305e2 ("net/mlx5: Move esw multiport devlink param to eswitch code")
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Shay Drory <shayd@nvidia.com>
Reviewed-by: Automatic Verification <verifier@nvidia.com>
Reviewed-by: Gal Pressman <gal@nvidia.com>
Reviewed-by: Moshe Shemesh <moshe@nvidia.com>
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
---
 .../net/ethernet/mellanox/mlx5/core/eswitch.c  | 18 ++++++++----------
 1 file changed, 8 insertions(+), 10 deletions(-)

diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
index 5aaedbf71783..b4e465856127 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
@@ -1751,16 +1751,14 @@ int mlx5_eswitch_init(struct mlx5_core_dev *dev)
 	if (!MLX5_VPORT_MANAGER(dev) && !MLX5_ESWITCH_MANAGER(dev))
 		return 0;
 
+	esw = kzalloc(sizeof(*esw), GFP_KERNEL);
+	if (!esw)
+		return -ENOMEM;
+
 	err = devl_params_register(priv_to_devlink(dev), mlx5_eswitch_params,
 				   ARRAY_SIZE(mlx5_eswitch_params));
 	if (err)
-		return err;
-
-	esw = kzalloc(sizeof(*esw), GFP_KERNEL);
-	if (!esw) {
-		err = -ENOMEM;
-		goto unregister_param;
-	}
+		goto free_esw;
 
 	esw->dev = dev;
 	esw->manager_vport = mlx5_eswitch_manager_vport(dev);
@@ -1821,10 +1819,10 @@ int mlx5_eswitch_init(struct mlx5_core_dev *dev)
 	if (esw->work_queue)
 		destroy_workqueue(esw->work_queue);
 	debugfs_remove_recursive(esw->debugfs_root);
-	kfree(esw);
-unregister_param:
 	devl_params_unregister(priv_to_devlink(dev), mlx5_eswitch_params,
 			       ARRAY_SIZE(mlx5_eswitch_params));
+free_esw:
+	kfree(esw);
 	return err;
 }
 
@@ -1848,9 +1846,9 @@ void mlx5_eswitch_cleanup(struct mlx5_eswitch *esw)
 	esw_offloads_cleanup(esw);
 	mlx5_esw_vports_cleanup(esw);
 	debugfs_remove_recursive(esw->debugfs_root);
-	kfree(esw);
 	devl_params_unregister(priv_to_devlink(esw->dev), mlx5_eswitch_params,
 			       ARRAY_SIZE(mlx5_eswitch_params));
+	kfree(esw);
 }
 
 /* Vport Administration */
-- 
2.41.0

next prev parent reply	other threads:[~2023-06-23 19:29 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-06-23 19:28 [pull request][net-next V2 00/15] mlx5 updates 2023-06-21 Saeed Mahameed
2023-06-23 19:28 ` Saeed Mahameed [this message]
2023-06-24 22:50   ` [net-next V2 01/15] net/mlx5: Fix UAF in mlx5_eswitch_cleanup() patchwork-bot+netdevbpf
2023-06-23 19:28 ` [net-next V2 02/15] net/mlx5: Fix SFs kernel documentation error Saeed Mahameed
2023-06-23 19:28 ` [net-next V2 03/15] net/mlx5: Fix reserved at offset in hca_cap register Saeed Mahameed
2023-06-23 19:28 ` [net-next V2 04/15] net/mlx5: Fix error code in mlx5_is_reset_now_capable() Saeed Mahameed
2023-06-23 19:28 ` [net-next V2 05/15] net/mlx5: Lag, Remove duplicate code checking lag is supported Saeed Mahameed
2023-06-23 19:28 ` [net-next V2 06/15] net/mlx5e: Use vhca_id for device index in vport rx rules Saeed Mahameed
2023-06-23 19:28 ` [net-next V2 07/15] net/mlx5e: E-Switch, Add peer fdb miss rules for vport manager or ecpf Saeed Mahameed
2023-06-23 19:29 ` [net-next V2 08/15] net/mlx5e: E-Switch, Use xarray for devcom paired device index Saeed Mahameed
2023-06-23 19:29 ` [net-next V2 09/15] net/mlx5e: E-Switch, Pass other_vport flag if vport is not 0 Saeed Mahameed
2023-06-23 19:29 ` [net-next V2 10/15] net/mlx5e: Remove redundant comment Saeed Mahameed
2023-06-23 19:29 ` [net-next V2 11/15] net/mlx5e: E-Switch, Fix shared fdb error flow Saeed Mahameed
2023-06-23 19:29 ` [net-next V2 12/15] net/mlx5: Remove redundant MLX5_ESWITCH_MANAGER() check from is_ib_rep_supported() Saeed Mahameed
2023-06-23 19:29 ` [net-next V2 13/15] net/mlx5: Remove redundant is_mdev_switchdev_mode() " Saeed Mahameed
2023-06-23 19:29 ` [net-next V2 14/15] net/mlx5: Remove redundant check from mlx5_esw_query_vport_vhca_id() Saeed Mahameed
2023-06-23 19:29 ` [net-next V2 15/15] net/mlx5: Remove pointless vport lookup from mlx5_esw_check_port_type() Saeed Mahameed

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:5aaedbf7178 dfblob:b4e46585612 )
 OR (
bs:"[net-next V2 01/15] net/mlx5: Fix UAF in mlx5_eswitch_cleanup()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20230623192907.39033-2-saeed@kernel.org \
    --to=saeed@kernel.org \
    --cc=dan.carpenter@linaro.org \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=gal@nvidia.com \
    --cc=kuba@kernel.org \
    --cc=moshe@nvidia.com \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=saeedm@nvidia.com \
    --cc=shayd@nvidia.com \
    --cc=tariqt@nvidia.com \
    --cc=verifier@nvidia.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.