[thirdparty/kernel/stable-queue.git] / releases / 4.19.35 / net-mlx5-add-a-missing-check-on-idr_find-free-buf.patch

From ecece7988767c542c30eb7cac56d72c77b28ffda Mon Sep 17 00:00:00 2001
From: Aditya Pakki <pakki001@umn.edu>
Date: Tue, 19 Mar 2019 16:42:40 -0500
Subject: net: mlx5: Add a missing check on idr_find, free buf

[ Upstream commit 8e949363f017e2011464812a714fb29710fb95b4 ]

idr_find() can return a NULL value to 'flow' which is used without a
check. The patch adds a check to avoid potential NULL pointer dereference.

In case of mlx5_fpga_sbu_conn_sendmsg() failure, free buf allocated
using kzalloc.

Fixes: ab412e1dd7db ("net/mlx5: Accel, add TLS rx offload routines")
Signed-off-by: Aditya Pakki <pakki001@umn.edu>
Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c b/drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c
index 5cf5f2a9d51f..8de64e88c670 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c
@@ -217,15 +217,21 @@ int mlx5_fpga_tls_resync_rx(struct mlx5_core_dev *mdev, u32 handle, u32 seq,
 	void *cmd;
 	int ret;
 
+	rcu_read_lock();
+	flow = idr_find(&mdev->fpga->tls->rx_idr, ntohl(handle));
+	rcu_read_unlock();
+
+	if (!flow) {
+		WARN_ONCE(1, "Received NULL pointer for handle\n");
+		return -EINVAL;
+	}
+
 	buf = kzalloc(size, GFP_ATOMIC);
 	if (!buf)
 		return -ENOMEM;
 
 	cmd = (buf + 1);
 
-	rcu_read_lock();
-	flow = idr_find(&mdev->fpga->tls->rx_idr, ntohl(handle));
-	rcu_read_unlock();
 	mlx5_fpga_tls_flow_to_cmd(flow, cmd);
 
 	MLX5_SET(tls_cmd, cmd, swid, ntohl(handle));
@@ -238,6 +244,8 @@ int mlx5_fpga_tls_resync_rx(struct mlx5_core_dev *mdev, u32 handle, u32 seq,
 	buf->complete = mlx_tls_kfree_complete;
 
 	ret = mlx5_fpga_sbu_conn_sendmsg(mdev->fpga->tls->conn, buf);
+	if (ret < 0)
+		kfree(buf);
 
 	return ret;
 }
-- 
2.19.1
Commit	Line	Data
a9fba688 SL	1	From ecece7988767c542c30eb7cac56d72c77b28ffda Mon Sep 17 00:00:00 2001
	2	From: Aditya Pakki <pakki001@umn.edu>
	3	Date: Tue, 19 Mar 2019 16:42:40 -0500
	4	Subject: net: mlx5: Add a missing check on idr_find, free buf
	5
	6	[ Upstream commit 8e949363f017e2011464812a714fb29710fb95b4 ]
	7
	8	idr_find() can return a NULL value to 'flow' which is used without a
	9	check. The patch adds a check to avoid potential NULL pointer dereference.
	10
	11	In case of mlx5_fpga_sbu_conn_sendmsg() failure, free buf allocated
	12	using kzalloc.
	13
	14	Fixes: ab412e1dd7db ("net/mlx5: Accel, add TLS rx offload routines")
	15	Signed-off-by: Aditya Pakki <pakki001@umn.edu>
	16	Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
	17	Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
	18	Signed-off-by: Sasha Levin <sashal@kernel.org>
	19	---
	20	drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c \| 14 +++++++++++---
	21	1 file changed, 11 insertions(+), 3 deletions(-)
	22
	23	diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c b/drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c
	24	index 5cf5f2a9d51f..8de64e88c670 100644
	25	--- a/drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c
	26	+++ b/drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c
	27	@@ -217,15 +217,21 @@ int mlx5_fpga_tls_resync_rx(struct mlx5_core_dev *mdev, u32 handle, u32 seq,
	28	void *cmd;
	29	int ret;
	30
	31	+ rcu_read_lock();
	32	+ flow = idr_find(&mdev->fpga->tls->rx_idr, ntohl(handle));
	33	+ rcu_read_unlock();
	34	+
	35	+ if (!flow) {
	36	+ WARN_ONCE(1, "Received NULL pointer for handle\n");
	37	+ return -EINVAL;
	38	+ }
	39	+
	40	buf = kzalloc(size, GFP_ATOMIC);
	41	if (!buf)
	42	return -ENOMEM;
	43
	44	cmd = (buf + 1);
	45
	46	- rcu_read_lock();
	47	- flow = idr_find(&mdev->fpga->tls->rx_idr, ntohl(handle));
	48	- rcu_read_unlock();
	49	mlx5_fpga_tls_flow_to_cmd(flow, cmd);
	50
	51	MLX5_SET(tls_cmd, cmd, swid, ntohl(handle));
	52	@@ -238,6 +244,8 @@ int mlx5_fpga_tls_resync_rx(struct mlx5_core_dev *mdev, u32 handle, u32 seq,
	53	buf->complete = mlx_tls_kfree_complete;
	54
	55	ret = mlx5_fpga_sbu_conn_sendmsg(mdev->fpga->tls->conn, buf);
	56	+ if (ret < 0)
	57	+ kfree(buf);
	58
	59	return ret;
	60	}
	61	--
	62	2.19.1
	63