On 03/19/2019 02:42 PM, Aditya Pakki wrote:
> idr_find() can return a NULL value to 'flow' which is used without a
> check. The patch adds a check to avoid potential NULL pointer dereference.
>
> In case of mlx5_fpga_sbu_conn_sendmsg() failure, free buf allocated
> using kzalloc.
>
> Fixes: ab412e1dd7db ("net/mlx5: Accel, add TLS rx offload routines")
> ---
> v3: Reorder buf allocations and flow check.
> v2: failure to return in case of flow failure.
> v1: Failed to free buf in case of flow failure.
>
> Signed-off-by: Aditya Pakki <pakki001@xxxxxxx>
> ---
> drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c | 14 +++++++++++---
> 1 file changed, 11 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c b/drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c
> index 5cf5f2a9d51f..8de64e88c670 100644
> --- a/drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c
> +++ b/drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c
> @@ -217,15 +217,21 @@ int mlx5_fpga_tls_resync_rx(struct mlx5_core_dev *mdev, u32 handle, u32 seq,
> void *cmd;
> int ret;
>
> + rcu_read_lock();
> + flow = idr_find(&mdev->fpga->tls->rx_idr, ntohl(handle));
> + rcu_read_unlock();
This looks suspect (even before your patch)
What prevents flow from disappearing after this rcu_read_lock() ?
IMO your patch might prevent a NULL deref, but not use-after-free.
> +
> + if (!flow) {
> + WARN_ONCE(1, "Received NULL pointer for handle\n");
> + return -EINVAL;
> + }
> +
> buf = kzalloc(size, GFP_ATOMIC);
> if (!buf)
> return -ENOMEM;
>
> cmd = (buf + 1);
>
> - rcu_read_lock();
> - flow = idr_find(&mdev->fpga->tls->rx_idr, ntohl(handle));
> - rcu_read_unlock();
> mlx5_fpga_tls_flow_to_cmd(flow, cmd);
>
> MLX5_SET(tls_cmd, cmd, swid, ntohl(handle));
> @@ -238,6 +244,8 @@ int mlx5_fpga_tls_resync_rx(struct mlx5_core_dev *mdev, u32 handle, u32 seq,
> buf->complete = mlx_tls_kfree_complete;
>
> ret = mlx5_fpga_sbu_conn_sendmsg(mdev->fpga->tls->conn, buf);
> + if (ret < 0)
> + kfree(buf);
>
> return ret;
> }
>
