My static analyzer tool reported a potential uaf in
mlx5e_ktls_del_rx. In this function, if the condition
cancel_work_sync(&resync->work) is true, and then
priv_rx could be freed. But priv_rx is used later.
I'm unfamiliar with how this function works. Maybe the
maintainer forgot to add return after freeing priv_rx?
Fixes: b850bbff96512 ("net/mlx5e: kTLS, Use refcounts to free kTLS RX priv
context")
Signed-off-by: Lv Yunlong <lyl2...@mail.ustc.edu.cn>
---
drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls_rx.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls_rx.c
b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls_rx.c
index d06532d0baa4..54a77df42316 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls_rx.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls_rx.c
@@ -663,8 +663,10 @@ void mlx5e_ktls_del_rx(struct net_device *netdev, struct
tls_context *tls_ctx)
*/
wait_for_completion(&priv_rx->add_ctx);
resync = &priv_rx->resync;
- if (cancel_work_sync(&resync->work))
+ if (cancel_work_sync(&resync->work)) {
mlx5e_ktls_priv_rx_put(priv_rx);
+ return;
+ }
priv_rx->stats->tls_del++;
if (priv_rx->rule.rule)
--
2.25.1
