]>
Commit | Line | Data |
---|---|---|
a9fba688 SL |
1 | From ecece7988767c542c30eb7cac56d72c77b28ffda Mon Sep 17 00:00:00 2001 |
2 | From: Aditya Pakki <pakki001@umn.edu> | |
3 | Date: Tue, 19 Mar 2019 16:42:40 -0500 | |
4 | Subject: net: mlx5: Add a missing check on idr_find, free buf | |
5 | ||
6 | [ Upstream commit 8e949363f017e2011464812a714fb29710fb95b4 ] | |
7 | ||
8 | idr_find() can return a NULL value to 'flow' which is used without a | |
9 | check. The patch adds a check to avoid potential NULL pointer dereference. | |
10 | ||
11 | In case of mlx5_fpga_sbu_conn_sendmsg() failure, free buf allocated | |
12 | using kzalloc. | |
13 | ||
14 | Fixes: ab412e1dd7db ("net/mlx5: Accel, add TLS rx offload routines") | |
15 | Signed-off-by: Aditya Pakki <pakki001@umn.edu> | |
16 | Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com> | |
17 | Signed-off-by: Saeed Mahameed <saeedm@mellanox.com> | |
18 | Signed-off-by: Sasha Levin <sashal@kernel.org> | |
19 | --- | |
20 | drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c | 14 +++++++++++--- | |
21 | 1 file changed, 11 insertions(+), 3 deletions(-) | |
22 | ||
23 | diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c b/drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c | |
24 | index 5cf5f2a9d51f..8de64e88c670 100644 | |
25 | --- a/drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c | |
26 | +++ b/drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c | |
27 | @@ -217,15 +217,21 @@ int mlx5_fpga_tls_resync_rx(struct mlx5_core_dev *mdev, u32 handle, u32 seq, | |
28 | void *cmd; | |
29 | int ret; | |
30 | ||
31 | + rcu_read_lock(); | |
32 | + flow = idr_find(&mdev->fpga->tls->rx_idr, ntohl(handle)); | |
33 | + rcu_read_unlock(); | |
34 | + | |
35 | + if (!flow) { | |
36 | + WARN_ONCE(1, "Received NULL pointer for handle\n"); | |
37 | + return -EINVAL; | |
38 | + } | |
39 | + | |
40 | buf = kzalloc(size, GFP_ATOMIC); | |
41 | if (!buf) | |
42 | return -ENOMEM; | |
43 | ||
44 | cmd = (buf + 1); | |
45 | ||
46 | - rcu_read_lock(); | |
47 | - flow = idr_find(&mdev->fpga->tls->rx_idr, ntohl(handle)); | |
48 | - rcu_read_unlock(); | |
49 | mlx5_fpga_tls_flow_to_cmd(flow, cmd); | |
50 | ||
51 | MLX5_SET(tls_cmd, cmd, swid, ntohl(handle)); | |
52 | @@ -238,6 +244,8 @@ int mlx5_fpga_tls_resync_rx(struct mlx5_core_dev *mdev, u32 handle, u32 seq, | |
53 | buf->complete = mlx_tls_kfree_complete; | |
54 | ||
55 | ret = mlx5_fpga_sbu_conn_sendmsg(mdev->fpga->tls->conn, buf); | |
56 | + if (ret < 0) | |
57 | + kfree(buf); | |
58 | ||
59 | return ret; | |
60 | } | |
61 | -- | |
62 | 2.19.1 | |
63 |