If the call to mlx5_fc_create() fails, then shared_counter will be freed
before its member, shared_counter->counter, is accessed to retrieve the
error code. Fix by using an intermediate variable.
Addresses-Coverity: CID 1497153: Memory - illegal accesses (USE_AFTER_FREE)
Fixes: 1edae2335adf ("net/mlx5e: CT: Use the same counter for both directions")
Signed-off-by: Alex Dewar <alex.dewar90@xxxxxxxxx>
---
v2:
- Add Fixes tag (Leon)
- Use ERR_CAST (Leon)
Hi Leon,
I've made the suggested changes. Let me know if there's anything else
you need :)
There is also this patch in the series which doesn't seem to have been
reviewed yet: https://lore.kernel.org/lkml/20200927113254.362480-4-alex.dewar90@xxxxxxxxx/
Best,
Alex
drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c
index b5f8ed30047b..1e80e7669995 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c
@@ -738,6 +738,7 @@ mlx5_tc_ct_shared_counter_get(struct mlx5_tc_ct_priv *ct_priv,
struct mlx5_ct_shared_counter *shared_counter;
struct mlx5_core_dev *dev = ct_priv->dev;
struct mlx5_ct_entry *rev_entry;
+ struct mlx5_fc *counter;
__be16 tmp_port;
/* get the reversed tuple */
@@ -775,12 +776,13 @@ mlx5_tc_ct_shared_counter_get(struct mlx5_tc_ct_priv *ct_priv,
if (!shared_counter)
return ERR_PTR(-ENOMEM);
- shared_counter->counter = mlx5_fc_create(dev, true);
- if (IS_ERR(shared_counter->counter)) {
+ counter = mlx5_fc_create(dev, true);
+ if (IS_ERR(counter)) {
ct_dbg("Failed to create counter for ct entry");
kfree(shared_counter);
- return ERR_PTR(PTR_ERR(shared_counter->counter));
+ return ERR_CAST(counter);
}
+ shared_counter->counter = counter;
refcount_set(&shared_counter->refcount, 1);
return shared_counter;
--
2.28.0
