Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 11940c87 authored by Dan Carpenter's avatar Dan Carpenter Committed by Roland Dreier
Browse files

mlx5_core: Fix use after free in mlx5_cmd_comp_handler() 



We can't dereference "ent" after passing it to free_cmd().

Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Acked-by: default avatarEli Cohen <eli@mellanox.com>
Signed-off-by: default avatarRoland Dreier <roland@purestorage.com>
parent 92b0ca7c

drivers/net/ethernet/mellanox/mlx5/core/cmd.c

+7 −4
Original line number Original line Diff line number Diff line
@@ -1113,7 +1113,13 @@ void mlx5_cmd_comp_handler(struct mlx5_core_dev *dev, unsigned long vector) 




	for (i = 0; i < (1 << cmd->log_sz); i++) {

	for (i = 0; i < (1 << cmd->log_sz); i++) {

		if (test_bit(i, &vector)) {

		if (test_bit(i, &vector)) {

			struct semaphore *sem;



			ent = cmd->ent_arr[i];

			ent = cmd->ent_arr[i];

			if (ent->page_queue)

				sem = &cmd->pages_sem;

			else

				sem = &cmd->sem;

			ktime_get_ts(&ent->ts2);

			ktime_get_ts(&ent->ts2);

			memcpy(ent->out->first.data, ent->lay->out, sizeof(ent->lay->out));

			memcpy(ent->out->first.data, ent->lay->out, sizeof(ent->lay->out));

			dump_command(dev, ent, 0);

			dump_command(dev, ent, 0);
@@ -1136,10 +1142,7 @@ void mlx5_cmd_comp_handler(struct mlx5_core_dev *dev, unsigned long vector) 
			} else {

			} else {

				complete(&ent->done);

				complete(&ent->done);

			}

			}

			if (ent->page_queue)

			up(sem);

				up(&cmd->pages_sem);

			else

				up(&cmd->sem);

		}

		}

	}

	}

}

}