Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 53020092 authored by Yevgeny Petrilin's avatar Yevgeny Petrilin Committed by David S. Miller
Browse files

mlx4: Fixing use after free 



In case of allocation failure, tried to use the promiscuous QP
entry that was previously freed.
Now freeing this entry only in case we will not put it back to the list
of promiscuous entries.

Reported-by: default avatarDan Carpenter <error27@gmail.com>
Signed-off-by: default avatarYevgeny Petrilin <yevgenyp@mellanox.co.il>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 5e8996e7

drivers/net/mlx4/mcg.c

+2 −1
Original line number Diff line number Diff line
@@ -469,7 +469,6 @@ static int remove_promisc_qp(struct mlx4_dev *dev, u8 vep_num, u8 port, 


	/*remove from list of promisc qps */

	list_del(&pqp->list);

	kfree(pqp);



	/* set the default entry not to include the removed one */

	mailbox = mlx4_alloc_cmd_mailbox(dev);
@@ -528,6 +527,8 @@ out_mailbox: 
out_list:

	if (back_to_list)

		list_add_tail(&pqp->list, &s_steer->promisc_qps[steer]);

	else

		kfree(pqp);

out_mutex:

	mutex_unlock(&priv->mcg_table.mutex);

	return err;