From: Yunjian Wang <wangyunjian@huawei.com>
Date: Mon, 12 Apr 2021 14:41:18 +0000 (+0800)
Subject: i40e: Fix use-after-free in i40e_client_subtask()
X-Git-Tag: v4.19.191~64
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c1322eaeb8af0d8985b5cc5fa759140fa0e57b84;p=thirdparty%2Fkernel%2Fstable.git

i40e: Fix use-after-free in i40e_client_subtask()

[ Upstream commit 38318f23a7ef86a8b1862e5e8078c4de121960c3 ]

Currently the call to i40e_client_del_instance frees the object
pf->cinst, however pf->cinst->lan_info is being accessed after
the free. Fix this by adding the missing return.

Addresses-Coverity: ("Read from pointer after free")
Fixes: 7b0b1a6d0ac9 ("i40e: Disable iWARP VSI PETCP_ENA flag on netdev down events")
Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---

diff --git a/drivers/net/ethernet/intel/i40e/i40e_client.c b/drivers/net/ethernet/intel/i40e/i40e_client.c
index 5f3b8b9ff511d..c1832a8487140 100644
--- a/drivers/net/ethernet/intel/i40e/i40e_client.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_client.c
@@ -377,6 +377,7 @@ void i40e_client_subtask(struct i40e_pf *pf)
 				clear_bit(__I40E_CLIENT_INSTANCE_OPENED,
 					  &cdev->state);
 				i40e_client_del_instance(pf);
+				return;
 			}
 		}
 	}