mlx4: Fixing use after free

In case of allocation failure, tried to use the promiscuous QP entry that was previously freed. Now freeing this entry only in case we will not put it back to the list of promiscuous entries. Reported-by: N Dan Carpenter <error27@gmail.com> Signed-off-by: N Yevgeny Petrilin <yevgenyp@mellanox.co.il> Signed-off-by: N David S. Miller <davem@davemloft.net>

mlx4: Fixing use after free
In case of allocation failure, tried to use the promiscuous QP entry that was previously freed. Now freeing this entry only in case we will not put it back to the list of promiscuous entries. Reported-by: N Dan Carpenter <error27@gmail.com> Signed-off-by: N Yevgeny Petrilin <yevgenyp@mellanox.co.il> Signed-off-by: N David S. Miller <davem@davemloft.net>
53020092 · Yevgeny Petrilin · David S. Miller · 5e8996e7 · 53020092
隐藏空白更改
内联并排

Showing with 2 addition and 1 deletion

drivers/net/mlx4/mcg.c drivers/net/mlx4/mcg.c +2 -1

未找到文件。
--- a/drivers/net/mlx4/mcg.c
+++ b/drivers/net/mlx4/mcg.c
@@ -469,7 +469,6 @@ static int remove_promisc_qp(struct mlx4_dev *dev, u8 vep_num, u8 port,
 	/*remove from list of promisc qps */
 	list_del(&pqp->list);
-	kfree(pqp);
 	/* set the default entry not to include the removed one */
 	mailbox = mlx4_alloc_cmd_mailbox(dev);
@@ -528,6 +527,8 @@ static int remove_promisc_qp(struct mlx4_dev *dev, u8 vep_num, u8 port,
 out_list:
 	if (back_to_list)
 		list_add_tail(&pqp->list, &s_steer->promisc_qps[steer]);
+	else
+		kfree(pqp);
 out_mutex:
 	mutex_unlock(&priv->mcg_table.mutex);
 	return err;