> From: Dan Carpenter [mailto:dan.carpen...@oracle.com] > Sent: Tuesday, March 13, 2018 11:10 AM > To: Elior, Ariel <ariel.el...@cavium.com>; Kalderon, Michal > <michal.kalde...@cavium.com> > Cc: Dept-Eng Everest Linux L2 <dept-engeverestlinu...@cavium.com>; > netdev@vger.kernel.org; kernel-janit...@vger.kernel.org > Subject: [PATCH net] qed: Use after free in qed_rdma_free() > > We're dereferencing "p_hwfn->p_rdma_info" but that is freed on the line > before in qed_rdma_resc_free(p_hwfn). > > Fixes: 9de506a547c0 ("qed: Free RoCE ILT Memory on rmmod qedr") > Signed-off-by: Dan Carpenter <dan.carpen...@oracle.com> > > diff --git a/drivers/net/ethernet/qlogic/qed/qed_rdma.c > b/drivers/net/ethernet/qlogic/qed/qed_rdma.c > index f3ee6538b553..a411f9c702a1 100644 > --- a/drivers/net/ethernet/qlogic/qed/qed_rdma.c > +++ b/drivers/net/ethernet/qlogic/qed/qed_rdma.c > @@ -379,8 +379,8 @@ static void qed_rdma_free(struct qed_hwfn > *p_hwfn) > DP_VERBOSE(p_hwfn, QED_MSG_RDMA, "Freeing RDMA\n"); > > qed_rdma_free_reserved_lkey(p_hwfn); > - qed_rdma_resc_free(p_hwfn); > qed_cxt_free_proto_ilt(p_hwfn, p_hwfn->p_rdma_info->proto); > + qed_rdma_resc_free(p_hwfn); > } > > static void qed_rdma_get_guid(struct qed_hwfn *p_hwfn, u8 *guid) Thanks,
Acked-by: Michal Kalderon <michal.kalde...@cavium.com>
