If the call to mlx5_fc_create() fails, then shared_counter will be freed before its member, shared_counter->counter, is accessed to retrieve the error code. Fix by using an intermediate variable. Addresses-Coverity: CID 1497153: Memory - illegal accesses (USE_AFTER_FREE) Fixes: 1edae2335adf ("net/mlx5e: CT: Use the same counter for both directions") Signed-off-by: Alex Dewar <alex.dewar90@xxxxxxxxx> --- v2: - Add Fixes tag (Leon) - Use ERR_CAST (Leon) Hi Leon, I've made the suggested changes. Let me know if there's anything else you need :) There is also this patch in the series which doesn't seem to have been reviewed yet: https://lore.kernel.org/lkml/20200927113254.362480-4-alex.dewar90@xxxxxxxxx/ Best, Alex drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c index b5f8ed30047b..1e80e7669995 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c @@ -738,6 +738,7 @@ mlx5_tc_ct_shared_counter_get(struct mlx5_tc_ct_priv *ct_priv, struct mlx5_ct_shared_counter *shared_counter; struct mlx5_core_dev *dev = ct_priv->dev; struct mlx5_ct_entry *rev_entry; + struct mlx5_fc *counter; __be16 tmp_port; /* get the reversed tuple */ @@ -775,12 +776,13 @@ mlx5_tc_ct_shared_counter_get(struct mlx5_tc_ct_priv *ct_priv, if (!shared_counter) return ERR_PTR(-ENOMEM); - shared_counter->counter = mlx5_fc_create(dev, true); - if (IS_ERR(shared_counter->counter)) { + counter = mlx5_fc_create(dev, true); + if (IS_ERR(counter)) { ct_dbg("Failed to create counter for ct entry"); kfree(shared_counter); - return ERR_PTR(PTR_ERR(shared_counter->counter)); + return ERR_CAST(counter); } + shared_counter->counter = counter; refcount_set(&shared_counter->refcount, 1); return shared_counter; -- 2.28.0