octeontx2-af: Fix access of iter->entry after iter object has been kf…

…ree'd The call to pc_delete_flow can kfree the iter object, so the following dev_err message that accesses iter->entry can accessmemory that has just been kfree'd. Fix this by adding a temporary variable 'entry' that has a copy of iter->entry and also use this when indexing into the array mcam->entry2target_pffunc[]. Also print the unsigned value using the %u format specifier rather than %d. Addresses-Coverity: ("Read from pointer after free") Fixes: 55307fc ("octeontx2-af: Add mbox messages to install and delete MCAM rules") Signed-off-by: Colin Ian King <colin.king@canonical.com> Link: https://lore.kernel.org/r/20201118143803.463297-1-colin.king@canonical.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
mariux64 · Nov 20, 2020 · 7648398 · 7648398
1 parent dd6028a
commit 7648398
Showing 1 changed file with 5 additions and 3 deletions.
diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc_fs.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc_fs.c
@@ -1218,11 +1218,13 @@ int rvu_mbox_handler_npc_delete_flow(struct rvu *rvu,
 	mutex_unlock(&mcam->lock);
 
 	list_for_each_entry_safe(iter, tmp, &del_list, list) {
+		u16 entry = iter->entry;
+
 		/* clear the mcam entry target pcifunc */
-		mcam->entry2target_pffunc[iter->entry] = 0x0;
+		mcam->entry2target_pffunc[entry] = 0x0;
 		if (npc_delete_flow(rvu, iter, pcifunc))
-			dev_err(rvu->dev, "rule deletion failed for entry:%d",
-				iter->entry);
+			dev_err(rvu->dev, "rule deletion failed for entry:%u",
+				entry);
 	}
 
 	return 0;