net/mlx5e: IPoIB, Fix access to invalid memory address
authorRoi Dayan <roid@mellanox.com>
Mon, 21 Aug 2017 09:04:50 +0000 (12:04 +0300)
committerSaeed Mahameed <saeedm@mellanox.com>
Thu, 28 Sep 2017 04:23:09 +0000 (07:23 +0300)
When cleaning rdma netdevice we need to save the mdev pointer
because priv is released when we release netdev.

This bug was found using the kernel address sanitizer (KASAN).
use-after-free in mlx5_rdma_netdev_free+0xe3/0x100 [mlx5_core]

Fixes: 48935bbb7ae8 ("net/mlx5e: IPoIB, Add netdevice profile skeleton")
Signed-off-by: Roi Dayan <roid@mellanox.com>
Reviewed-by: Or Gerlitz <ogerlitz@mellanox.com>
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
drivers/net/ethernet/mellanox/mlx5/core/ipoib/ipoib.c

index 85298051a3e4fcf74767196dcc6660114222b4cf..145e392ab84973b0fa632c8c09895069ab49865a 100644 (file)
@@ -572,12 +572,13 @@ void mlx5_rdma_netdev_free(struct net_device *netdev)
 {
        struct mlx5e_priv          *priv    = mlx5i_epriv(netdev);
        const struct mlx5e_profile *profile = priv->profile;
+       struct mlx5_core_dev       *mdev    = priv->mdev;
 
        mlx5e_detach_netdev(priv);
        profile->cleanup(priv);
        destroy_workqueue(priv->wq);
        free_netdev(netdev);
 
-       mlx5e_destroy_mdev_resources(priv->mdev);
+       mlx5e_destroy_mdev_resources(mdev);
 }
 EXPORT_SYMBOL(mlx5_rdma_netdev_free);