Received: by 2002:a05:7412:8d10:b0:f3:1519:9f41 with SMTP id bj16csp784450rdb;
        Tue, 5 Dec 2023 22:46:45 -0800 (PST)
X-Google-Smtp-Source: AGHT+IGLAoT493rW1yQl6N9Fex6bZ4lSnY+nbV6yefO4YkR6/ZoHa9qQViHD+xRewUDswrYIwo4q
X-Received: by 2002:a05:6808:1889:b0:3b8:b063:5056 with SMTP id bi9-20020a056808188900b003b8b0635056mr655400oib.87.1701845205665;
        Tue, 05 Dec 2023 22:46:45 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1701845205; cv=none;
        d=google.com; s=arc-20160816;
        b=xJwsjbsLRBeB7FVoTQE6MmSFx3mRAAQ7QV5bZReqBZeidT0x1cztIeR0PUTJsCSpjN
         j1mS/iSN1F1MsFZgAjTHWKCN1X/L1FIXEUFyDZ6FEsxw+HalrgvsJe5HM2gTQg0jE39T
         utNaYFmC+GrVL4/mwSn23pqV56C2c+uq2ByavwYaFuo7Fsg62GR0OGNkcQBzzVmQ0USI
         iWkTdniN32I/QX4gXBgKUOnqSfOF0OLX7tX9CjR8rzFzosZS4QOjG94pHrcgw4Mnu9h7
         Yx7jVCQ1rtSSknXLk9kThDYKR10RgGBRUCoI+qzXv4deJ65/f9KcuJgSesxyMWZhND7d
         dTOA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:message-id:date:subject:cc:to:from;
        bh=cgGoBNIg30D4ngT/DsAGDI+jOqjPsqFdv3d+I9/N4zk=;
        fh=K0Wr/lpZZXQPRg4zlVZEj+EFE/otAusXOEelsMQtSLI=;
        b=hUom14Oc4XpOqIE8u8JOpf/CB149ejPobokh0IsAzZU7/Wv7eo6y66EnRBQK+AODoy
         G6pILjns0q3ReRTfxQ1KtOaDqzQ3FzTPHrU3gK3mlpDhUqKjewm21BKyNYKVoGHpINxN
         pHl2tX/+XzaZWz24wwauJhImplpHmNUYyGWOE2M7LVzJJJWuJxd7rurGgot2b22weVMz
         cnBzH1r7qsICHWR8lkzuX+zMb83gsbEJyl4maa4V1PAtsTqg8MRSbrFUXPR3wceJqAe4
         L46IqPukxnt23FgZuSyiZQODczDx3HcqiSH6ycYfo9BvzDvpQw7W7c70XvLG/Gsz0k7X
         crag==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from snail.vger.email (snail.vger.email. [23.128.96.37])
        by mx.google.com with ESMTPS id 142-20020a630194000000b005bd2b19dfc4si11305970pgb.493.2023.12.05.22.46.44
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 05 Dec 2023 22:46:45 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) client-ip=23.128.96.37;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by snail.vger.email (Postfix) with ESMTP id 0146C80B81E2;
	Tue,  5 Dec 2023 22:46:27 -0800 (PST)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.11 at snail.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1376818AbjLFGqM (ORCPT <rfc822;a.bouin@gmail.com> + 99 others);
        Wed, 6 Dec 2023 01:46:12 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42298 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229520AbjLFGqL (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 6 Dec 2023 01:46:11 -0500
Received: from zju.edu.cn (spam.zju.edu.cn [61.164.42.155])
        by lindbergh.monkeyblade.net (Postfix) with ESMTP id 2EDF1D40;
        Tue,  5 Dec 2023 22:46:13 -0800 (PST)
Received: from localhost.localdomain (unknown [10.190.70.17])
        by mail-app2 (Coremail) with SMTP id by_KCgBHvdSYGHBllDpRAA--.45469S4;
        Wed, 06 Dec 2023 14:45:51 +0800 (CST)
From:   Dinghao Liu <dinghao.liu@zju.edu.cn>
To:     dinghao.liu@zju.edu.cn
Cc:     Ariel Elior <aelior@marvell.com>,
        Manish Chopra <manishc@marvell.com>,
        "David S. Miller" <davem@davemloft.net>,
        Eric Dumazet <edumazet@google.com>,
        Jakub Kicinski <kuba@kernel.org>,
        Paolo Abeni <pabeni@redhat.com>,
        Yuval Mintz <Yuval.Mintz@qlogic.com>, netdev@vger.kernel.org,
        linux-kernel@vger.kernel.org
Subject: [PATCH] qed: Fix a potential double-free in qed_cxt_tables_alloc
Date:   Wed,  6 Dec 2023 14:45:31 +0800
Message-Id: <20231206064531.6089-1-dinghao.liu@zju.edu.cn>
X-Mailer: git-send-email 2.17.1
X-CM-TRANSID: by_KCgBHvdSYGHBllDpRAA--.45469S4
X-Coremail-Antispam: 1UD129KBjvdXoW7GryDur4ruw1UKF4UXF18Xwb_yoWkWFb_Ga
        15ZrnxAF1DJr90ka17JrWDZ34F9F1ku3WrXrn2k3yfA345Aa15ArWIvryfJF4rW34UCryD
        ur4xXay8G34IyjkaLaAFLSUrUUUUUb8apTn2vfkv8UJUUUU8Yxn0WfASr-VFAUDa7-sFnT
        9fnUUIcSsGvfJTRUUUbsxFc2x0x2IEx4CE42xK8VAvwI8IcIk0rVWrJVCq3wAFIxvE14AK
        wVWUJVWUGwA2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2AK021l84ACjcxK6xIIjxv20x
        vE14v26w1j6s0DM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26F4UJVW0owA2z4x0Y4vEx4A2
        jsIE14v26rxl6s0DM28EF7xvwVC2z280aVCY1x0267AKxVW0oVCq3wAS0I0E0xvYzxvE52
        x082IY62kv0487Mc02F40EFcxC0VAKzVAqx4xG6I80ewAv7VC0I7IYx2IY67AKxVWUJVWU
        GwAv7VC2z280aVAFwI0_Jr0_Gr1lOx8S6xCaFVCjc4AY6r1j6r4UM4x0Y48IcxkI7VAKI4
        8JM4x0x7Aq67IIx4CEVc8vx2IErcIFxwACI402YVCY1x02628vn2kIc2xKxwCF04k20xvY
        0x0EwIxGrwCF04k20xvE74AGY7Cv6cx26r4fKr1UJr1l4I8I3I0E4IkC6x0Yz7v_Jr0_Gr
        1lx2IqxVAqx4xG67AKxVWUJVWUGwC20s026x8GjcxK67AKxVWUGVWUWwC2zVAF1VAY17CE
        14v26r1q6r43MIIYrxkI7VAKI48JMIIF0xvE2Ix0cI8IcVAFwI0_Jr0_JF4lIxAIcVC0I7
        IYx2IY6xkF7I0E14v26r1j6r4UMIIF0xvE42xK8VAvwI8IcIk0rVWUJVWUCwCI42IY6I8E
        87Iv67AKxVWUJVW8JwCI42IY6I8E87Iv6xkF7I0E14v26r1j6r4UYxBIdaVFxhVjvjDU0x
        ZFpf9x0JUdHUDUUUUU=
X-CM-SenderInfo: qrrzjiaqtzq6lmxovvfxof0/1tbiAgoTBmVsUQg4xgAasp
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,
        RCVD_IN_DNSWL_BLOCKED,SPF_HELO_PASS,SPF_PASS,T_SCC_BODY_TEXT_LINE
        autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Tue, 05 Dec 2023 22:46:27 -0800 (PST)

qed_ilt_shadow_alloc() will call qed_ilt_shadow_free() to
free p_hwfn->p_cxt_mngr->ilt_shadow on error. However,
qed_cxt_tables_alloc() frees this pointer again on failure
of qed_ilt_shadow_alloc() through calling qed_cxt_mngr_free(),
which may lead to double-free. Fix this issue by setting
p_hwfn->p_cxt_mngr->ilt_shadow to NULL in qed_ilt_shadow_free().

Fixes: fe56b9e6a8d9 ("qed: Add module with basic common support")
Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
---
 drivers/net/ethernet/qlogic/qed/qed_cxt.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/net/ethernet/qlogic/qed/qed_cxt.c b/drivers/net/ethernet/qlogic/qed/qed_cxt.c
index 65e20693c549..26e247517394 100644
--- a/drivers/net/ethernet/qlogic/qed/qed_cxt.c
+++ b/drivers/net/ethernet/qlogic/qed/qed_cxt.c
@@ -933,6 +933,7 @@ static void qed_ilt_shadow_free(struct qed_hwfn *p_hwfn)
 		p_dma->virt_addr = NULL;
 	}
 	kfree(p_mngr->ilt_shadow);
+	p_hwfn->p_cxt_mngr->ilt_shadow = NULL;
 }
 
 static int qed_ilt_blk_alloc(struct qed_hwfn *p_hwfn,
-- 
2.17.1