Commit 6f9b1a0
net/mlx5e: fix double free of encap_header
When mlx5_packet_reformat_alloc() fails, the encap_header allocated in
mlx5e_tc_tun_create_header_ipv4{6} will be released within it. However,
e->encap_header is already set to the previously freed encap_header
before mlx5_packet_reformat_alloc(). As a result, the later
mlx5e_encap_put() will free e->encap_header again, causing a double free
issue.
mlx5e_encap_put()
--> mlx5e_encap_dealloc()
--> kfree(e->encap_header)
This happens when cmd: MLX5_CMD_OP_ALLOC_PACKET_REFORMAT_CONTEXT fail.
This patch fix it by not setting e->encap_header until
mlx5_packet_reformat_alloc() success.
Fixes: d589e78 ("net/mlx5e: Allow concurrent creation of encap entries")
Reported-by: Cruz Zhao <cruzzhao@linux.alibaba.com>
Reported-by: Tianchen Ding <dtcccc@linux.alibaba.com>
Signed-off-by: Dust Li <dust.li@linux.alibaba.com>
Reviewed-by: Wojciech Drewek <wojciech.drewek@intel.com>
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>1 parent fd64fd1 commit 6f9b1a0
1 file changed
Lines changed: 4 additions & 6 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
300 | 300 | | |
301 | 301 | | |
302 | 302 | | |
303 | | - | |
304 | | - | |
305 | | - | |
306 | 303 | | |
307 | 304 | | |
308 | 305 | | |
| |||
322 | 319 | | |
323 | 320 | | |
324 | 321 | | |
| 322 | + | |
| 323 | + | |
325 | 324 | | |
326 | 325 | | |
327 | 326 | | |
| |||
568 | 567 | | |
569 | 568 | | |
570 | 569 | | |
571 | | - | |
572 | | - | |
573 | | - | |
574 | 570 | | |
575 | 571 | | |
576 | 572 | | |
| |||
590 | 586 | | |
591 | 587 | | |
592 | 588 | | |
| 589 | + | |
| 590 | + | |
593 | 591 | | |
594 | 592 | | |
595 | 593 | | |
| |||
0 commit comments