From patchwork Mon Jan 15 20:24:49 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Roland Dreier X-Patchwork-Id: 861070 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=purestorage.com header.i=@purestorage.com header.b="JJtEfRh0"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3zL4bL338dz9sQm for ; Tue, 16 Jan 2018 07:25:02 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751483AbeAOUY6 (ORCPT ); Mon, 15 Jan 2018 15:24:58 -0500 Received: from mail-pf0-f196.google.com ([209.85.192.196]:34612 "EHLO mail-pf0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751426AbeAOUY4 (ORCPT ); Mon, 15 Jan 2018 15:24:56 -0500 Received: by mail-pf0-f196.google.com with SMTP id e76so8571705pfk.1 for ; Mon, 15 Jan 2018 12:24:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=purestorage.com; s=google; h=sender:from:to:cc:subject:date:message-id; bh=7gj+Qid6bzYeDD8ON3C/puBKL9W4AbfK4P2nv1cAs4I=; b=JJtEfRh0XryidYfbXzGqhMxE7eIe535AIgRfm7qhUIwfKOdh84MUbrSxWnMjCmcyCg EVrs65u5uDX0fyD2ldteeDaLgHg/EJMfiV79GRSdbQ/Mu2p928KY04apTqBHecVaYl4T 98hSnHj2kVB60ZQ/Jf39c0g4Hm/ijKAl6mZMM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id; bh=7gj+Qid6bzYeDD8ON3C/puBKL9W4AbfK4P2nv1cAs4I=; b=DcvEQXweejuvFniV6QBUuUMTPkpRSoq/z1iRR+MwDw9LsG7ODn5iY/Kr//PANH/HwJ R2ny3QlfAj1sdyjuOnald1kfVoGVjmMidNeHxqGL5v0r4/bkxfhpCa6NHtf4zerqdUXI CCSG31tduUkJy3wzq3Y0i+lDOsRZSqroRPpUFFfC5xCv607IfRS8cxft0pwLHWQgikt3 Aq9nQNO2XzxHV8AukfqS92CJwChKJEM5oz9X77Heif8XOAjyJ262iN4Y6nFUpKfyViDN 5ABPj2wqFmKFm8RQDZtQUnSe7ZBbrYoSWEULQVf28VZbrbU4kdybrDbRZN04jhZTyWKG HWlA== X-Gm-Message-State: AKGB3mJdMwb2Vy6OlDnHYr2sh6HR5/ADtuGqbXDi9ntexX1VSBsokIzR idO+ArbVPiR5pgyT7VaHX/EEdhfy X-Google-Smtp-Source: ACJfBov7dOFAbLFgkiwuQWv8NLW77DakM8pGZebwpp41LCM9EnzzD4qeiCme+Y14TLO572X32obujQ== X-Received: by 10.101.91.196 with SMTP id o4mr27604455pgr.169.1516047896074; Mon, 15 Jan 2018 12:24:56 -0800 (PST) Received: from roland-x1-yoga.digitalvampire.org (c-73-162-189-82.hsd1.ca.comcast.net. [73.162.189.82]) by smtp.gmail.com with ESMTPSA id z85sm517823pfk.110.2018.01.15.12.24.53 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 15 Jan 2018 12:24:54 -0800 (PST) From: Roland Dreier To: Ariel Elior , everest-linux-l2@cavium.com Cc: netdev@vger.kernel.org Subject: [PATCH] qed: Fix potential use-after-free in qed_spq_post() Date: Mon, 15 Jan 2018 12:24:49 -0800 Message-Id: <20180115202449.14830-1-roland@kernel.org> X-Mailer: git-send-email 2.14.1 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Roland Dreier We need to check if p_ent->comp_mode is QED_SPQ_MODE_EBLOCK before calling qed_spq_add_entry(). The test is fine is the mode is EBLOCK, but if it isn't then qed_spq_add_entry() might kfree(p_ent). Signed-off-by: Roland Dreier --- drivers/net/ethernet/qlogic/qed/qed_spq.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/drivers/net/ethernet/qlogic/qed/qed_spq.c b/drivers/net/ethernet/qlogic/qed/qed_spq.c index be48d9abd001..3588081b2e27 100644 --- a/drivers/net/ethernet/qlogic/qed/qed_spq.c +++ b/drivers/net/ethernet/qlogic/qed/qed_spq.c @@ -776,6 +776,7 @@ int qed_spq_post(struct qed_hwfn *p_hwfn, int rc = 0; struct qed_spq *p_spq = p_hwfn ? p_hwfn->p_spq : NULL; bool b_ret_ent = true; + bool eblock; if (!p_hwfn) return -EINVAL; @@ -794,6 +795,11 @@ int qed_spq_post(struct qed_hwfn *p_hwfn, if (rc) goto spq_post_fail; + /* Check if entry is in block mode before qed_spq_add_entry, + * which might kfree p_ent. + */ + eblock = (p_ent->comp_mode == QED_SPQ_MODE_EBLOCK); + /* Add the request to the pending queue */ rc = qed_spq_add_entry(p_hwfn, p_ent, p_ent->priority); if (rc) @@ -811,7 +817,7 @@ int qed_spq_post(struct qed_hwfn *p_hwfn, spin_unlock_bh(&p_spq->lock); - if (p_ent->comp_mode == QED_SPQ_MODE_EBLOCK) { + if (eblock) { /* For entries in QED BLOCK mode, the completion code cannot * perform the necessary cleanup - if it did, we couldn't * access p_ent here to see whether it's successful or not.