| From f1c2fbe6f46a9871d21bfa0a7af6e5a5da017707 Mon Sep 17 00:00:00 2001 |
| From: Aditya Pakki <pakki001@umn.edu> |
| Date: Tue, 19 Mar 2019 16:42:40 -0500 |
| Subject: net: mlx5: Add a missing check on idr_find, free buf |
| |
| [ Upstream commit 8e949363f017e2011464812a714fb29710fb95b4 ] |
| |
| idr_find() can return a NULL value to 'flow' which is used without a |
| check. The patch adds a check to avoid potential NULL pointer dereference. |
| |
| In case of mlx5_fpga_sbu_conn_sendmsg() failure, free buf allocated |
| using kzalloc. |
| |
| Fixes: ab412e1dd7db ("net/mlx5: Accel, add TLS rx offload routines") |
| Signed-off-by: Aditya Pakki <pakki001@umn.edu> |
| Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com> |
| Signed-off-by: Saeed Mahameed <saeedm@mellanox.com> |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c | 14 +++++++++++--- |
| 1 file changed, 11 insertions(+), 3 deletions(-) |
| |
| diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c b/drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c |
| index 5cf5f2a9d51f..8de64e88c670 100644 |
| --- a/drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c |
| +++ b/drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c |
| @@ -217,15 +217,21 @@ int mlx5_fpga_tls_resync_rx(struct mlx5_core_dev *mdev, u32 handle, u32 seq, |
| void *cmd; |
| int ret; |
| |
| + rcu_read_lock(); |
| + flow = idr_find(&mdev->fpga->tls->rx_idr, ntohl(handle)); |
| + rcu_read_unlock(); |
| + |
| + if (!flow) { |
| + WARN_ONCE(1, "Received NULL pointer for handle\n"); |
| + return -EINVAL; |
| + } |
| + |
| buf = kzalloc(size, GFP_ATOMIC); |
| if (!buf) |
| return -ENOMEM; |
| |
| cmd = (buf + 1); |
| |
| - rcu_read_lock(); |
| - flow = idr_find(&mdev->fpga->tls->rx_idr, ntohl(handle)); |
| - rcu_read_unlock(); |
| mlx5_fpga_tls_flow_to_cmd(flow, cmd); |
| |
| MLX5_SET(tls_cmd, cmd, swid, ntohl(handle)); |
| @@ -238,6 +244,8 @@ int mlx5_fpga_tls_resync_rx(struct mlx5_core_dev *mdev, u32 handle, u32 seq, |
| buf->complete = mlx_tls_kfree_complete; |
| |
| ret = mlx5_fpga_sbu_conn_sendmsg(mdev->fpga->tls->conn, buf); |
| + if (ret < 0) |
| + kfree(buf); |
| |
| return ret; |
| } |
| -- |
| 2.19.1 |
| |