qed: Fix a potential use-after-free in qed_cxt_tables_alloc

dinghaoliu · gregkh · commit 5d9d500a2811 · 2023-12-20T15:41:16.000+01:00
[ Upstream commit b65d52a ] qed_ilt_shadow_alloc() will call qed_ilt_shadow_free() to free p_hwfn->p_cxt_mngr->ilt_shadow on error. However, qed_cxt_tables_alloc() accesses the freed pointer on failure of qed_ilt_shadow_alloc() through calling qed_cxt_mngr_free(), which may lead to use-after-free. Fix this issue by setting p_mngr->ilt_shadow to NULL in qed_ilt_shadow_free(). Fixes: fe56b9e ("qed: Add module with basic common support") Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com> Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn> Link: https://lore.kernel.org/r/20231210045255.21383-1-dinghao.liu@zju.edu.cn Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
diff --git a/drivers/net/ethernet/qlogic/qed/qed_cxt.c b/drivers/net/ethernet/qlogic/qed/qed_cxt.c
@@ -1023,6 +1023,7 @@ static void qed_ilt_shadow_free(struct qed_hwfn *p_hwfn)
 		p_dma->p_virt = NULL;
 	}
 	kfree(p_mngr->ilt_shadow);
+	p_mngr->ilt_shadow = NULL;
 }
 
 static int qed_ilt_blk_alloc(struct qed_hwfn *p_hwfn,

Original file line number	Diff line number	Diff line change
`@@ -1023,6 +1023,7 @@ static void qed_ilt_shadow_free(struct qed_hwfn *p_hwfn)`
`1023`	`1023`	`p_dma->p_virt = NULL;`
`1024`	`1024`	`}`
`1025`	`1025`	`kfree(p_mngr->ilt_shadow);`
	`1026`	`+ p_mngr->ilt_shadow = NULL;`
`1026`	`1027`	`}`
`1027`	`1028`
`1028`	`1029`	`static int qed_ilt_blk_alloc(struct qed_hwfn *p_hwfn,`