Commit 38e8a5c0 authored by Roi Dayan's avatar Roi Dayan Committed by Saeed Mahameed

net/mlx5e: IPoIB, Fix access to invalid memory address

When cleaning rdma netdevice we need to save the mdev pointer
because priv is released when we release netdev.

This bug was found using the kernel address sanitizer (KASAN).
use-after-free in mlx5_rdma_netdev_free+0xe3/0x100 [mlx5_core]

Fixes: 48935bbb ("net/mlx5e: IPoIB, Add netdevice profile skeleton")
Signed-off-by: default avatarRoi Dayan <roid@mellanox.com>
Reviewed-by: default avatarOr Gerlitz <ogerlitz@mellanox.com>
Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
parent c2cc187e
...@@ -572,12 +572,13 @@ void mlx5_rdma_netdev_free(struct net_device *netdev) ...@@ -572,12 +572,13 @@ void mlx5_rdma_netdev_free(struct net_device *netdev)
{ {
struct mlx5e_priv *priv = mlx5i_epriv(netdev); struct mlx5e_priv *priv = mlx5i_epriv(netdev);
const struct mlx5e_profile *profile = priv->profile; const struct mlx5e_profile *profile = priv->profile;
struct mlx5_core_dev *mdev = priv->mdev;
mlx5e_detach_netdev(priv); mlx5e_detach_netdev(priv);
profile->cleanup(priv); profile->cleanup(priv);
destroy_workqueue(priv->wq); destroy_workqueue(priv->wq);
free_netdev(netdev); free_netdev(netdev);
mlx5e_destroy_mdev_resources(priv->mdev); mlx5e_destroy_mdev_resources(mdev);
} }
EXPORT_SYMBOL(mlx5_rdma_netdev_free); EXPORT_SYMBOL(mlx5_rdma_netdev_free);
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment