diff mbox series

[net] qed: Use after free in qed_rdma_free()

Message ID 20180313090938.GA17609@mwanda
State Accepted, archived
Delegated to: David Miller
Headers show
Series [net] qed: Use after free in qed_rdma_free() | expand

Commit Message

Dan Carpenter March 13, 2018, 9:09 a.m. UTC 
We're dereferencing "p_hwfn->p_rdma_info" but that is freed on the line
before in qed_rdma_resc_free(p_hwfn).

Fixes: 9de506a547c0 ("qed: Free RoCE ILT Memory on rmmod qedr")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

Comments

Michal Kalderon March 13, 2018, 9:40 a.m. UTC | #1 
> From: Dan Carpenter [mailto:dan.carpenter@oracle.com]
> Sent: Tuesday, March 13, 2018 11:10 AM
> To: Elior, Ariel <Ariel.Elior@cavium.com>; Kalderon, Michal
> <Michal.Kalderon@cavium.com>
> Cc: Dept-Eng Everest Linux L2 <Dept-EngEverestLinuxL2@cavium.com>;
> netdev@vger.kernel.org; kernel-janitors@vger.kernel.org
> Subject: [PATCH net] qed: Use after free in qed_rdma_free()
> 
> We're dereferencing "p_hwfn->p_rdma_info" but that is freed on the line
> before in qed_rdma_resc_free(p_hwfn).
> 
> Fixes: 9de506a547c0 ("qed: Free RoCE ILT Memory on rmmod qedr")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> 
> diff --git a/drivers/net/ethernet/qlogic/qed/qed_rdma.c
> b/drivers/net/ethernet/qlogic/qed/qed_rdma.c
> index f3ee6538b553..a411f9c702a1 100644
> --- a/drivers/net/ethernet/qlogic/qed/qed_rdma.c
> +++ b/drivers/net/ethernet/qlogic/qed/qed_rdma.c
> @@ -379,8 +379,8 @@ static void qed_rdma_free(struct qed_hwfn
> *p_hwfn)
>  	DP_VERBOSE(p_hwfn, QED_MSG_RDMA, "Freeing RDMA\n");
> 
>  	qed_rdma_free_reserved_lkey(p_hwfn);
> -	qed_rdma_resc_free(p_hwfn);
>  	qed_cxt_free_proto_ilt(p_hwfn, p_hwfn->p_rdma_info->proto);
> +	qed_rdma_resc_free(p_hwfn);
>  }
> 
>  static void qed_rdma_get_guid(struct qed_hwfn *p_hwfn, u8 *guid)
Thanks,

Acked-by: Michal Kalderon <Michal.Kalderon@cavium.com>
David Miller March 13, 2018, 2:55 p.m. UTC | #2 
From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Tue, 13 Mar 2018 12:09:38 +0300

> We're dereferencing "p_hwfn->p_rdma_info" but that is freed on the line
> before in qed_rdma_resc_free(p_hwfn).
> 
> Fixes: 9de506a547c0 ("qed: Free RoCE ILT Memory on rmmod qedr")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

Applied, thank you.
diff mbox series

Patch

diff --git a/drivers/net/ethernet/qlogic/qed/qed_rdma.c b/drivers/net/ethernet/qlogic/qed/qed_rdma.c
index f3ee6538b553..a411f9c702a1 100644
--- a/drivers/net/ethernet/qlogic/qed/qed_rdma.c
+++ b/drivers/net/ethernet/qlogic/qed/qed_rdma.c
@@ -379,8 +379,8 @@  static void qed_rdma_free(struct qed_hwfn *p_hwfn)
 	DP_VERBOSE(p_hwfn, QED_MSG_RDMA, "Freeing RDMA\n");
 
 	qed_rdma_free_reserved_lkey(p_hwfn);
-	qed_rdma_resc_free(p_hwfn);
 	qed_cxt_free_proto_ilt(p_hwfn, p_hwfn->p_rdma_info->proto);
+	qed_rdma_resc_free(p_hwfn);
 }
 
 static void qed_rdma_get_guid(struct qed_hwfn *p_hwfn, u8 *guid)