[PATCH] net/mlx5e/core/en_fs: fix pointer dereference after free in mlx5e_execute_l2

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] net/mlx5e/core/en_fs: fix pointer dereference after free in mlx5e_execute_l2_action
@ 2017-11-05  3:54 Gustavo A. R. Silva
       [not found] ` <20171105035453.GA10908-L1vi/lXTdts+Va1GwOuvDg@public.gmane.org>
  0 siblings, 1 reply; 5+ messages in thread
From: Gustavo A. R. Silva @ 2017-11-05  3:54 UTC (permalink / raw)
  To: Saeed Mahameed, Matan Barak, Leon Romanovsky
  Cc: netdev, linux-rdma, linux-kernel, Gustavo A. R. Silva

hn is being kfree'd in mlx5e_del_l2_from_hash and then dereferenced
by accessing hn->ai.addr

Fix this by copying the MAC address into a local variable for its safe use
in all possible execution paths within function mlx5e_execute_l2_action.

Addresses-Coverity-ID: 1417789
Fixes: eeb66cdb6826 ("net/mlx5: Separate between E-Switch and MPFS")
Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com>
---
 drivers/net/ethernet/mellanox/mlx5/core/en_fs.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_fs.c b/drivers/net/ethernet/mellanox/mlx5/core/en_fs.c
index 850cdc9..4837045 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_fs.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_fs.c
@@ -365,21 +365,24 @@ static void mlx5e_execute_l2_action(struct mlx5e_priv *priv,
 				    struct mlx5e_l2_hash_node *hn)
 {
 	u8 action = hn->action;
+	u8 mac_addr[ETH_ALEN];
 	int l2_err = 0;
 
+	ether_addr_copy(mac_addr, hn->ai.addr);
+
 	switch (action) {
 	case MLX5E_ACTION_ADD:
 		mlx5e_add_l2_flow_rule(priv, &hn->ai, MLX5E_FULLMATCH);
-		if (!is_multicast_ether_addr(hn->ai.addr)) {
-			l2_err = mlx5_mpfs_add_mac(priv->mdev, hn->ai.addr);
+		if (!is_multicast_ether_addr(mac_addr)) {
+			l2_err = mlx5_mpfs_add_mac(priv->mdev, mac_addr);
 			hn->mpfs = !l2_err;
 		}
 		hn->action = MLX5E_ACTION_NONE;
 		break;
 
 	case MLX5E_ACTION_DEL:
-		if (!is_multicast_ether_addr(hn->ai.addr) && hn->mpfs)
-			l2_err = mlx5_mpfs_del_mac(priv->mdev, hn->ai.addr);
+		if (!is_multicast_ether_addr(mac_addr) && hn->mpfs)
+			l2_err = mlx5_mpfs_del_mac(priv->mdev, mac_addr);
 		mlx5e_del_l2_flow_rule(priv, &hn->ai);
 		mlx5e_del_l2_from_hash(hn);
 		break;
@@ -387,7 +390,7 @@ static void mlx5e_execute_l2_action(struct mlx5e_priv *priv,
 
 	if (l2_err)
 		netdev_warn(priv->netdev, "MPFS, failed to %s mac %pM, err(%d)\n",
-			    action == MLX5E_ACTION_ADD ? "add" : "del", hn->ai.addr, l2_err);
+			    action == MLX5E_ACTION_ADD ? "add" : "del", mac_addr, l2_err);
 }
 
 static void mlx5e_sync_netdev_addr(struct mlx5e_priv *priv)
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH] net/mlx5e/core/en_fs: fix pointer dereference after free in mlx5e_execute_l2_action
       [not found] ` <20171105035453.GA10908-L1vi/lXTdts+Va1GwOuvDg@public.gmane.org>
@ 2017-11-05  4:43   ` Saeed Mahameed
       [not found]     ` <CALzJLG-YW_5AH__q2XHgaQM=xeLy+31LSeQdPAs7RhS=rLpJPw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
  2017-11-08  2:00   ` David Miller
  1 sibling, 1 reply; 5+ messages in thread
From: Saeed Mahameed @ 2017-11-05  4:43 UTC (permalink / raw)
  To: Gustavo A. R. Silva
  Cc: Saeed Mahameed, Matan Barak, Leon Romanovsky, Linux Netdev List,
	linux-rdma-u79uwXL29TY76Z2rM5mHXA, linux-kernel, Jes Sorensen,
	Martin KaFai Lau

On Sat, Nov 4, 2017 at 8:54 PM, Gustavo A. R. Silva
<garsilva-L1vi/lXTdts+Va1GwOuvDg@public.gmane.org> wrote:
> hn is being kfree'd in mlx5e_del_l2_from_hash and then dereferenced
> by accessing hn->ai.addr
>
> Fix this by copying the MAC address into a local variable for its safe use
> in all possible execution paths within function mlx5e_execute_l2_action.
>
> Addresses-Coverity-ID: 1417789
> Fixes: eeb66cdb6826 ("net/mlx5: Separate between E-Switch and MPFS")
> Signed-off-by: Gustavo A. R. Silva <garsilva-L1vi/lXTdts+Va1GwOuvDg@public.gmane.org>

Acked-by: Saeed Mahameed <saeedm-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>

Looks good.
Thank you Gustavo.

> ---
>  drivers/net/ethernet/mellanox/mlx5/core/en_fs.c | 13 ++++++++-----
>  1 file changed, 8 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_fs.c b/drivers/net/ethernet/mellanox/mlx5/core/en_fs.c
> index 850cdc9..4837045 100644
> --- a/drivers/net/ethernet/mellanox/mlx5/core/en_fs.c
> +++ b/drivers/net/ethernet/mellanox/mlx5/core/en_fs.c
> @@ -365,21 +365,24 @@ static void mlx5e_execute_l2_action(struct mlx5e_priv *priv,
>                                     struct mlx5e_l2_hash_node *hn)
>  {
>         u8 action = hn->action;
> +       u8 mac_addr[ETH_ALEN];
>         int l2_err = 0;
>
> +       ether_addr_copy(mac_addr, hn->ai.addr);
> +
>         switch (action) {
>         case MLX5E_ACTION_ADD:
>                 mlx5e_add_l2_flow_rule(priv, &hn->ai, MLX5E_FULLMATCH);
> -               if (!is_multicast_ether_addr(hn->ai.addr)) {
> -                       l2_err = mlx5_mpfs_add_mac(priv->mdev, hn->ai.addr);
> +               if (!is_multicast_ether_addr(mac_addr)) {
> +                       l2_err = mlx5_mpfs_add_mac(priv->mdev, mac_addr);
>                         hn->mpfs = !l2_err;
>                 }
>                 hn->action = MLX5E_ACTION_NONE;
>                 break;
>
>         case MLX5E_ACTION_DEL:
> -               if (!is_multicast_ether_addr(hn->ai.addr) && hn->mpfs)
> -                       l2_err = mlx5_mpfs_del_mac(priv->mdev, hn->ai.addr);
> +               if (!is_multicast_ether_addr(mac_addr) && hn->mpfs)
> +                       l2_err = mlx5_mpfs_del_mac(priv->mdev, mac_addr);
>                 mlx5e_del_l2_flow_rule(priv, &hn->ai);
>                 mlx5e_del_l2_from_hash(hn);
>                 break;
> @@ -387,7 +390,7 @@ static void mlx5e_execute_l2_action(struct mlx5e_priv *priv,
>
>         if (l2_err)
>                 netdev_warn(priv->netdev, "MPFS, failed to %s mac %pM, err(%d)\n",
> -                           action == MLX5E_ACTION_ADD ? "add" : "del", hn->ai.addr, l2_err);
> +                           action == MLX5E_ACTION_ADD ? "add" : "del", mac_addr, l2_err);
>  }
>
>  static void mlx5e_sync_netdev_addr(struct mlx5e_priv *priv)
> --
> 2.7.4
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
> the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] net/mlx5e/core/en_fs: fix pointer dereference after free in mlx5e_execute_l2_action
       [not found]     ` <CALzJLG-YW_5AH__q2XHgaQM=xeLy+31LSeQdPAs7RhS=rLpJPw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
@ 2017-11-06  0:45       ` Gustavo A. R. Silva
  0 siblings, 0 replies; 5+ messages in thread
From: Gustavo A. R. Silva @ 2017-11-06  0:45 UTC (permalink / raw)
  To: Saeed Mahameed
  Cc: Saeed Mahameed, Matan Barak, Leon Romanovsky, Linux Netdev List,
	linux-rdma-u79uwXL29TY76Z2rM5mHXA, linux-kernel, Jes Sorensen,
	Martin KaFai Lau

Hi Saeed,

Quoting Saeed Mahameed <saeedm-LDSdmyG8hGV8YrgS2mwiifqBs+8SCbDb@public.gmane.org>:

> On Sat, Nov 4, 2017 at 8:54 PM, Gustavo A. R. Silva
> <garsilva-L1vi/lXTdts+Va1GwOuvDg@public.gmane.org> wrote:
>> hn is being kfree'd in mlx5e_del_l2_from_hash and then dereferenced
>> by accessing hn->ai.addr
>>
>> Fix this by copying the MAC address into a local variable for its safe use
>> in all possible execution paths within function mlx5e_execute_l2_action.
>>
>> Addresses-Coverity-ID: 1417789
>> Fixes: eeb66cdb6826 ("net/mlx5: Separate between E-Switch and MPFS")
>> Signed-off-by: Gustavo A. R. Silva <garsilva-L1vi/lXTdts+Va1GwOuvDg@public.gmane.org>
>
> Acked-by: Saeed Mahameed <saeedm-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
>
> Looks good.
> Thank you Gustavo.
>

Glad to help.

Thanks
--
Gustavo A. R. Silva





--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] net/mlx5e/core/en_fs: fix pointer dereference after free in mlx5e_execute_l2_action
       [not found] ` <20171105035453.GA10908-L1vi/lXTdts+Va1GwOuvDg@public.gmane.org>
  2017-11-05  4:43   ` Saeed Mahameed
@ 2017-11-08  2:00   ` David Miller
  2017-11-08 20:55     ` Gustavo A. R. Silva
  1 sibling, 1 reply; 5+ messages in thread
From: David Miller @ 2017-11-08  2:00 UTC (permalink / raw)
  To: garsilva-L1vi/lXTdts+Va1GwOuvDg
  Cc: saeedm-VPRAkNaXOzVWk0Htik3J/w, matanb-VPRAkNaXOzVWk0Htik3J/w,
	leonro-VPRAkNaXOzVWk0Htik3J/w, netdev-u79uwXL29TY76Z2rM5mHXA,
	linux-rdma-u79uwXL29TY76Z2rM5mHXA,
	linux-kernel-u79uwXL29TY76Z2rM5mHXA

From: "Gustavo A. R. Silva" <garsilva-L1vi/lXTdts+Va1GwOuvDg@public.gmane.org>
Date: Sat, 4 Nov 2017 22:54:53 -0500

> hn is being kfree'd in mlx5e_del_l2_from_hash and then dereferenced
> by accessing hn->ai.addr
> 
> Fix this by copying the MAC address into a local variable for its safe use
> in all possible execution paths within function mlx5e_execute_l2_action.
> 
> Addresses-Coverity-ID: 1417789
> Fixes: eeb66cdb6826 ("net/mlx5: Separate between E-Switch and MPFS")
> Signed-off-by: Gustavo A. R. Silva <garsilva-L1vi/lXTdts+Va1GwOuvDg@public.gmane.org>

Applied and queued up for -stable, thanks.
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] net/mlx5e/core/en_fs: fix pointer dereference after free in mlx5e_execute_l2_action
  2017-11-08  2:00   ` David Miller
@ 2017-11-08 20:55     ` Gustavo A. R. Silva
  0 siblings, 0 replies; 5+ messages in thread
From: Gustavo A. R. Silva @ 2017-11-08 20:55 UTC (permalink / raw)
  To: David Miller; +Cc: saeedm, matanb, leonro, netdev, linux-rdma, linux-kernel


Quoting David Miller <davem@davemloft.net>:

> From: "Gustavo A. R. Silva" <garsilva@embeddedor.com>
> Date: Sat, 4 Nov 2017 22:54:53 -0500
>
>> hn is being kfree'd in mlx5e_del_l2_from_hash and then dereferenced
>> by accessing hn->ai.addr
>>
>> Fix this by copying the MAC address into a local variable for its safe use
>> in all possible execution paths within function mlx5e_execute_l2_action.
>>
>> Addresses-Coverity-ID: 1417789
>> Fixes: eeb66cdb6826 ("net/mlx5: Separate between E-Switch and MPFS")
>> Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com>
>
> Applied and queued up for -stable, thanks.

Awesome. Thanks!

--
Gustavo A. R. Silva

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2017-11-08 20:55 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-11-05  3:54 [PATCH] net/mlx5e/core/en_fs: fix pointer dereference after free in mlx5e_execute_l2_action Gustavo A. R. Silva
     [not found] ` <20171105035453.GA10908-L1vi/lXTdts+Va1GwOuvDg@public.gmane.org>
2017-11-05  4:43   ` Saeed Mahameed
     [not found]     ` <CALzJLG-YW_5AH__q2XHgaQM=xeLy+31LSeQdPAs7RhS=rLpJPw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-11-06  0:45       ` Gustavo A. R. Silva
2017-11-08  2:00   ` David Miller
2017-11-08 20:55     ` Gustavo A. R. Silva

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).