mlx5: use after free in mlx5_cmd_comp_handler()

We can't dereference "ent" after passing it to free_cmd().

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

1 files changed, 7 insertions, 4 deletions

diff --git a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
index 205753a04cfc..40374063c01e 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
@@ -1113,7 +1113,13 @@ void mlx5_cmd_comp_handler(struct mlx5_core_dev *dev, unsigned long vector)
 
         for (i = 0; i < (1 << cmd->log_sz); i++) {
                 if (test_bit(i, &vector)) {
+                        struct semaphore *sem;
+
                         ent = cmd->ent_arr[i];
+                        if (ent->page_queue)
+                                sem = &cmd->pages_sem;
+                        else
+                                sem = &cmd->sem;
                         ktime_get_ts(&ent->ts2);
                         memcpy(ent->out->first.data, ent->lay->out, sizeof(ent->lay->out));
                         dump_command(dev, ent, 0);
@@ -1136,10 +1142,7 @@ void mlx5_cmd_comp_handler(struct mlx5_core_dev *dev, unsigned long vector)
                         } else {
                                 complete(&ent->done);
                         }
-                        if (ent->page_queue)
-                                up(&cmd->pages_sem);
-                        else
-                                up(&cmd->sem);
+                        up(sem);
                 }
         }
 }