Patch "qed: Fix a potential use-after-free in qed_cxt_tables_alloc" has been added to the 5.4-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    qed: Fix a potential use-after-free in qed_cxt_tables_alloc

to the 5.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     qed-fix-a-potential-use-after-free-in-qed_cxt_tables.patch
and it can be found in the queue-5.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit d9b5d73110eb715da6b9aaf7e61323842c1f43a2
Author: Dinghao Liu <dinghao.liu@xxxxxxxxxx>
Date:   Sun Dec 10 12:52:55 2023 +0800

    qed: Fix a potential use-after-free in qed_cxt_tables_alloc
    
    [ Upstream commit b65d52ac9c085c0c52dee012a210d4e2f352611b ]
    
    qed_ilt_shadow_alloc() will call qed_ilt_shadow_free() to
    free p_hwfn->p_cxt_mngr->ilt_shadow on error. However,
    qed_cxt_tables_alloc() accesses the freed pointer on failure
    of qed_ilt_shadow_alloc() through calling qed_cxt_mngr_free(),
    which may lead to use-after-free. Fix this issue by setting
    p_mngr->ilt_shadow to NULL in qed_ilt_shadow_free().
    
    Fixes: fe56b9e6a8d9 ("qed: Add module with basic common support")
    Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@xxxxxxxxx>
    Signed-off-by: Dinghao Liu <dinghao.liu@xxxxxxxxxx>
    Link: https://lore.kernel.org/r/20231210045255.21383-1-dinghao.liu@xxxxxxxxxx
    Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/net/ethernet/qlogic/qed/qed_cxt.c b/drivers/net/ethernet/qlogic/qed/qed_cxt.c
index 8ea46b81b7395..8a7ac17d3ef7e 100644
--- a/drivers/net/ethernet/qlogic/qed/qed_cxt.c
+++ b/drivers/net/ethernet/qlogic/qed/qed_cxt.c
@@ -1023,6 +1023,7 @@ static void qed_ilt_shadow_free(struct qed_hwfn *p_hwfn)
 		p_dma->p_virt = NULL;
 	}
 	kfree(p_mngr->ilt_shadow);
+	p_mngr->ilt_shadow = NULL;
 }
 
 static int qed_ilt_blk_alloc(struct qed_hwfn *p_hwfn,




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux