From 76483980174c6ff80cc4d02a444f2815073d203d Mon Sep 17 00:00:00 2001 From: Colin Ian King Date: Wed, 18 Nov 2020 14:38:03 +0000 Subject: octeontx2-af: Fix access of iter->entry after iter object has been kfree'd The call to pc_delete_flow can kfree the iter object, so the following dev_err message that accesses iter->entry can accessmemory that has just been kfree'd. Fix this by adding a temporary variable 'entry' that has a copy of iter->entry and also use this when indexing into the array mcam->entry2target_pffunc[]. Also print the unsigned value using the %u format specifier rather than %d. Addresses-Coverity: ("Read from pointer after free") Fixes: 55307fcb9258 ("octeontx2-af: Add mbox messages to install and delete MCAM rules") Signed-off-by: Colin Ian King Link: https://lore.kernel.org/r/20201118143803.463297-1-colin.king@canonical.com Signed-off-by: Jakub Kicinski --- drivers/net/ethernet/marvell/octeontx2/af/rvu_npc_fs.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'drivers') diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc_fs.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc_fs.c index 4ddfdff33a61..14832b66d1fe 100644 --- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc_fs.c +++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc_fs.c @@ -1218,11 +1218,13 @@ int rvu_mbox_handler_npc_delete_flow(struct rvu *rvu, mutex_unlock(&mcam->lock); list_for_each_entry_safe(iter, tmp, &del_list, list) { + u16 entry = iter->entry; + /* clear the mcam entry target pcifunc */ - mcam->entry2target_pffunc[iter->entry] = 0x0; + mcam->entry2target_pffunc[entry] = 0x0; if (npc_delete_flow(rvu, iter, pcifunc)) - dev_err(rvu->dev, "rule deletion failed for entry:%d", - iter->entry); + dev_err(rvu->dev, "rule deletion failed for entry:%u", + entry); } return 0; -- cgit v1.2.3