Patch "net/mlx5e: fix double free in mlx5e_destroy_flow_table" has been added to the 6.4-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    net/mlx5e: fix double free in mlx5e_destroy_flow_table

to the 6.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     net-mlx5e-fix-double-free-in-mlx5e_destroy_flow_tabl.patch
and it can be found in the queue-6.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit d7e4e0b298f7e025a8d1d477793ef1fc0ddad78a
Author: Zhengchao Shao <shaozhengchao@xxxxxxxxxx>
Date:   Wed Jun 28 08:59:34 2023 +0800

    net/mlx5e: fix double free in mlx5e_destroy_flow_table
    
    [ Upstream commit 884abe45a9014d0de2e6edb0630dfd64f23f1d1b ]
    
    In function accel_fs_tcp_create_groups(), when the ft->g memory is
    successfully allocated but the 'in' memory fails to be allocated, the
    memory pointed to by ft->g is released once. And in function
    accel_fs_tcp_create_table, mlx5e_destroy_flow_table is called to release
    the memory pointed to by ft->g again. This will cause double free problem.
    
    Fixes: c062d52ac24c ("net/mlx5e: Receive flow steering framework for accelerated TCP flows")
    Signed-off-by: Zhengchao Shao <shaozhengchao@xxxxxxxxxx>
    Signed-off-by: Saeed Mahameed <saeedm@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/fs_tcp.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/fs_tcp.c
index 88a5aed9d6781..c7d191f66ad1b 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/fs_tcp.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/fs_tcp.c
@@ -190,6 +190,7 @@ static int accel_fs_tcp_create_groups(struct mlx5e_flow_table *ft,
 	in = kvzalloc(inlen, GFP_KERNEL);
 	if  (!in || !ft->g) {
 		kfree(ft->g);
+		ft->g = NULL;
 		kvfree(in);
 		return -ENOMEM;
 	}



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux