Message ID | X8ilb6PtBRLWiSHp@mwanda |
---|---|
State | Not Applicable |
Headers | show |
Series | [net] chelsio/chtls: fix a double free in chtls_setkey() | expand |
On Thu, 3 Dec 2020 11:44:31 +0300 Dan Carpenter wrote: > The "skb" is freed by the transmit code in cxgb4_ofld_send() and we > shouldn't use it again. But in the current code, if we hit an error > later on in the function then the clean up code will call kfree_skb(skb) > and so it causes a double free. > > Set the "skb" to NULL and that makes the kfree_skb() a no-op. > > Fixes: d25f2f71f653 ("crypto: chtls - Program the TLS session Key") > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Applied, thanks!
diff --git a/drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls_hw.c b/drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls_hw.c index 62c829023da5..a4fb463af22a 100644 --- a/drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls_hw.c +++ b/drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls_hw.c @@ -391,6 +391,7 @@ int chtls_setkey(struct chtls_sock *csk, u32 keylen, csk->wr_unacked += DIV_ROUND_UP(len, 16); enqueue_wr(csk, skb); cxgb4_ofld_send(csk->egress_dev, skb); + skb = NULL; chtls_set_scmd(csk); /* Clear quiesce for Rx key */
The "skb" is freed by the transmit code in cxgb4_ofld_send() and we shouldn't use it again. But in the current code, if we hit an error later on in the function then the clean up code will call kfree_skb(skb) and so it causes a double free. Set the "skb" to NULL and that makes the kfree_skb() a no-op. Fixes: d25f2f71f653 ("crypto: chtls - Program the TLS session Key") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> --- drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls_hw.c | 1 + 1 file changed, 1 insertion(+)