77b785c587
[ Upstream commit b65d52ac9c085c0c52dee012a210d4e2f352611b ]
qed_ilt_shadow_alloc() will call qed_ilt_shadow_free() to
free p_hwfn->p_cxt_mngr->ilt_shadow on error. However,
qed_cxt_tables_alloc() accesses the freed pointer on failure
of qed_ilt_shadow_alloc() through calling qed_cxt_mngr_free(),
which may lead to use-after-free. Fix this issue by setting
p_mngr->ilt_shadow to NULL in qed_ilt_shadow_free().
Fixes: fe56b9e6a8d9 ("qed: Add module with basic common support")
Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
Link: https://lore.kernel.org/r/20231210045255.21383-1-dinghao.liu@zju.edu.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|---|---|---|
| .. | ||
| Makefile | ||
| qed.h | ||
| qed_chain.c | ||
| qed_cxt.c | ||
| qed_cxt.h | ||
| qed_dcbx.c | ||
| qed_dcbx.h | ||
| qed_debug.c | ||
| qed_debug.h | ||
| qed_dev.c | ||
| qed_dev_api.h | ||
| qed_devlink.c | ||
| qed_devlink.h | ||
| qed_fcoe.c | ||
| qed_fcoe.h | ||
| qed_hsi.h | ||
| qed_hw.c | ||
| qed_hw.h | ||
| qed_init_fw_funcs.c | ||
| qed_init_ops.c | ||
| qed_init_ops.h | ||
| qed_int.c | ||
| qed_int.h | ||
| qed_iscsi.c | ||
| qed_iscsi.h | ||
| qed_iwarp.c | ||
| qed_iwarp.h | ||
| qed_l2.c | ||
| qed_l2.h | ||
| qed_ll2.c | ||
| qed_ll2.h | ||
| qed_main.c | ||
| qed_mcp.c | ||
| qed_mcp.h | ||
| qed_mng_tlv.c | ||
| qed_ooo.c | ||
| qed_ooo.h | ||
| qed_ptp.c | ||
| qed_ptp.h | ||
| qed_rdma.c | ||
| qed_rdma.h | ||
| qed_reg_addr.h | ||
| qed_roce.c | ||
| qed_roce.h | ||
| qed_selftest.c | ||
| qed_selftest.h | ||
| qed_sp.h | ||
| qed_sp_commands.c | ||
| qed_spq.c | ||
| qed_sriov.c | ||
| qed_sriov.h | ||
| qed_vf.c | ||
| qed_vf.h | ||