diff options
| author | Roi Dayan <roid@mellanox.com> | 2017-08-21 05:04:50 -0400 |
|---|---|---|
| committer | Saeed Mahameed <saeedm@mellanox.com> | 2017-09-28 00:23:09 -0400 |
| commit | 38e8a5c040d3ec99a8351c688dcdf0f549611565 (patch) | |
| tree | 24cbe56b95e9aefe95b2bc8f3d6e5e6c18e6dc2c | |
| parent | c2cc187e53011c1c4931055984657da9085c763b (diff) | |
net/mlx5e: IPoIB, Fix access to invalid memory address
When cleaning rdma netdevice we need to save the mdev pointer
because priv is released when we release netdev.
This bug was found using the kernel address sanitizer (KASAN).
use-after-free in mlx5_rdma_netdev_free+0xe3/0x100 [mlx5_core]
Fixes: 48935bbb7ae8 ("net/mlx5e: IPoIB, Add netdevice profile skeleton")
Signed-off-by: Roi Dayan <roid@mellanox.com>
Reviewed-by: Or Gerlitz <ogerlitz@mellanox.com>
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
| -rw-r--r-- | drivers/net/ethernet/mellanox/mlx5/core/ipoib/ipoib.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/ipoib/ipoib.c b/drivers/net/ethernet/mellanox/mlx5/core/ipoib/ipoib.c index 85298051a3e4..145e392ab849 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/ipoib/ipoib.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/ipoib/ipoib.c | |||
| @@ -572,12 +572,13 @@ void mlx5_rdma_netdev_free(struct net_device *netdev) | |||
| 572 | { | 572 | { |
| 573 | struct mlx5e_priv *priv = mlx5i_epriv(netdev); | 573 | struct mlx5e_priv *priv = mlx5i_epriv(netdev); |
| 574 | const struct mlx5e_profile *profile = priv->profile; | 574 | const struct mlx5e_profile *profile = priv->profile; |
| 575 | struct mlx5_core_dev *mdev = priv->mdev; | ||
| 575 | 576 | ||
| 576 | mlx5e_detach_netdev(priv); | 577 | mlx5e_detach_netdev(priv); |
| 577 | profile->cleanup(priv); | 578 | profile->cleanup(priv); |
| 578 | destroy_workqueue(priv->wq); | 579 | destroy_workqueue(priv->wq); |
| 579 | free_netdev(netdev); | 580 | free_netdev(netdev); |
| 580 | 581 | ||
| 581 | mlx5e_destroy_mdev_resources(priv->mdev); | 582 | mlx5e_destroy_mdev_resources(mdev); |
| 582 | } | 583 | } |
| 583 | EXPORT_SYMBOL(mlx5_rdma_netdev_free); | 584 | EXPORT_SYMBOL(mlx5_rdma_netdev_free); |