提交 2076a690 编写于 作者: D David Awogbemila 提交者: Zheng Zengkai

gve: Add NULL pointer checks when freeing irqs.

stable inclusion
from stable-5.10.42
commit da21a35c00ff1a1794d4f166d3b3fa8db4d0f6fb
bugzilla: 55093
CVE: NA

--------------------------------

[ Upstream commit 5218e919 ]

When freeing notification blocks, we index priv->msix_vectors.
If we failed to allocate priv->msix_vectors (see abort_with_msix_vectors)
this could lead to a NULL pointer dereference if the driver is unloaded.

Fixes: 893ce44d ("gve: Add basic driver framework for Compute Engine Virtual NIC")
Signed-off-by: NDavid Awogbemila <awogbemila@google.com>
Acked-by: NWillem de Brujin <willemb@google.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
Signed-off-by: NSasha Levin <sashal@kernel.org>
Signed-off-by: NChen Jun <chenjun102@huawei.com>
Acked-by: NWeilong Chen <chenweilong@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
上级 33f36420
...@@ -301,20 +301,22 @@ static void gve_free_notify_blocks(struct gve_priv *priv) ...@@ -301,20 +301,22 @@ static void gve_free_notify_blocks(struct gve_priv *priv)
{ {
int i; int i;
/* Free the irqs */ if (priv->msix_vectors) {
for (i = 0; i < priv->num_ntfy_blks; i++) { /* Free the irqs */
struct gve_notify_block *block = &priv->ntfy_blocks[i]; for (i = 0; i < priv->num_ntfy_blks; i++) {
int msix_idx = i; struct gve_notify_block *block = &priv->ntfy_blocks[i];
int msix_idx = i;
irq_set_affinity_hint(priv->msix_vectors[msix_idx].vector,
NULL); irq_set_affinity_hint(priv->msix_vectors[msix_idx].vector,
free_irq(priv->msix_vectors[msix_idx].vector, block); NULL);
free_irq(priv->msix_vectors[msix_idx].vector, block);
}
free_irq(priv->msix_vectors[priv->mgmt_msix_idx].vector, priv);
} }
dma_free_coherent(&priv->pdev->dev, dma_free_coherent(&priv->pdev->dev,
priv->num_ntfy_blks * sizeof(*priv->ntfy_blocks), priv->num_ntfy_blks * sizeof(*priv->ntfy_blocks),
priv->ntfy_blocks, priv->ntfy_block_bus); priv->ntfy_blocks, priv->ntfy_block_bus);
priv->ntfy_blocks = NULL; priv->ntfy_blocks = NULL;
free_irq(priv->msix_vectors[priv->mgmt_msix_idx].vector, priv);
pci_disable_msix(priv->pdev); pci_disable_msix(priv->pdev);
kvfree(priv->msix_vectors); kvfree(priv->msix_vectors);
priv->msix_vectors = NULL; priv->msix_vectors = NULL;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册