Commit 1dc2b3d6 authored Apr 12, 2019 by Colin Ian King Committed by David S. Miller Apr 12, 2019

qede: fix write to free'd pointer error and double free of ptp



The err2 error return path calls qede_ptp_disable that cleans up
on an error and frees ptp. After this, the free'd ptp is dereferenced
when ptp->clock is set to NULL and the code falls-through to error
path err1 that frees ptp again.

Fix this by calling qede_ptp_disable and exiting via an error
return path that does not set ptp->clock or kfree ptp.

Addresses-Coverity: ("Write to pointer after free")
Fixes: 03574497 ("qede: Add support for PTP resource locking.")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent 0a2c34f1

drivers/net/ethernet/qlogic/qede/qede_ptp.c

+3 −4

Original line number	Diff line number	Diff line
		@@ -490,18 +490,17 @@ int qede_ptp_enable(struct qede_dev *edev, bool init_tc)

		ptp->clock = ptp_clock_register(&ptp->clock_info, &edev->pdev->dev);
		if (IS_ERR(ptp->clock)) {
		rc = -EINVAL;
		DP_ERR(edev, "PTP clock registration failed\n");
		qede_ptp_disable(edev);
		rc = -EINVAL;
		goto err2;
		}

		return 0;

		err2:
		qede_ptp_disable(edev);
		ptp->clock = NULL;
		err1:
		kfree(ptp);
		err2:
		edev->ptp = NULL;

		return rc;