Patch "net/mlx5: Devcom, fix error flow in mlx5_devcom_register_device" has been added to the 6.1-stable tree

<gregkh@xxxxxxxxxxxxxxxxxxx> · Sun, 28 May 2023 17:53:17 +0100

This is a note to let you know that I've just added the patch titled

    net/mlx5: Devcom, fix error flow in mlx5_devcom_register_device

to the 6.1-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     net-mlx5-devcom-fix-error-flow-in-mlx5_devcom_register_device.patch
and it can be found in the queue-6.1 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From af87194352cad882d787d06fb7efa714acd95427 Mon Sep 17 00:00:00 2001
From: Shay Drory <shayd@xxxxxxxxxx>
Date: Tue, 2 May 2023 13:35:11 +0300
Subject: net/mlx5: Devcom, fix error flow in mlx5_devcom_register_device

From: Shay Drory <shayd@xxxxxxxxxx>

commit af87194352cad882d787d06fb7efa714acd95427 upstream.

In case devcom allocation is failed, mlx5 is always freeing the priv.
However, this priv might have been allocated by a different thread,
and freeing it might lead to use-after-free bugs.
Fix it by freeing the priv only in case it was allocated by the
running thread.

Fixes: fadd59fc50d0 ("net/mlx5: Introduce inter-device communication mechanism")
Signed-off-by: Shay Drory <shayd@xxxxxxxxxx>
Signed-off-by: Saeed Mahameed <saeedm@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 drivers/net/ethernet/mellanox/mlx5/core/lib/devcom.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/net/ethernet/mellanox/mlx5/core/lib/devcom.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/devcom.c
@@ -112,7 +112,8 @@ struct mlx5_devcom *mlx5_devcom_register
 	priv->devs[idx] = dev;
 	devcom = mlx5_devcom_alloc(priv, idx);
 	if (!devcom) {
-		kfree(priv);
+		if (new_priv)
+			kfree(priv);
 		return ERR_PTR(-ENOMEM);
 	}
 


Patches currently in stable-queue which might be from shayd@xxxxxxxxxx are

queue-6.1/net-mlx5-devcom-serialize-devcom-registration.patch
queue-6.1/net-mlx5e-fix-deadlock-in-tc-route-query-code.patch
queue-6.1/net-mlx5-devcom-fix-error-flow-in-mlx5_devcom_register_device.patch
queue-6.1/net-mlx5-handle-pairing-of-e-switch-via-uplink-un-load-apis.patch
queue-6.1/net-mlx5-collect-command-failures-data-only-for-known-commands.patch






