net/mlx5: Fix UAF in mlx5_eswitch_cleanup()

mlx5_eswitch_cleanup() is using esw right after freeing it for
releasing devlink_param.
Fix it by releasing the devlink_param before freeing the esw, and
adjust the create function accordingly.

Fixes: 3f90840305e2 ("net/mlx5: Move esw multiport devlink param to eswitch code")
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Shay Drory <shayd@nvidia.com>
Reviewed-by: Automatic Verification <verifier@nvidia.com>
Reviewed-by: Gal Pressman <gal@nvidia.com>
Reviewed-by: Moshe Shemesh <moshe@nvidia.com>
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>

diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
index 5aaedbf717835f19a6c3b058248e52776a51a4ac..b4e46585612732dff50504a5b7fbed2bcef9706f 100644 (file)
--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
@@ -1751,16 +1751,14 @@ int mlx5_eswitch_init(struct mlx5_core_dev *dev)
        if (!MLX5_VPORT_MANAGER(dev) && !MLX5_ESWITCH_MANAGER(dev))
                return 0;
 
+       esw = kzalloc(sizeof(*esw), GFP_KERNEL);
+       if (!esw)
+               return -ENOMEM;
+
        err = devl_params_register(priv_to_devlink(dev), mlx5_eswitch_params,
                                   ARRAY_SIZE(mlx5_eswitch_params));
        if (err)
-               return err;
-
-       esw = kzalloc(sizeof(*esw), GFP_KERNEL);
-       if (!esw) {
-               err = -ENOMEM;
-               goto unregister_param;
-       }
+               goto free_esw;
 
        esw->dev = dev;
        esw->manager_vport = mlx5_eswitch_manager_vport(dev);
@@ -1821,10 +1819,10 @@ int mlx5_eswitch_init(struct mlx5_core_dev *dev)
        if (esw->work_queue)
                destroy_workqueue(esw->work_queue);
        debugfs_remove_recursive(esw->debugfs_root);
-       kfree(esw);
-unregister_param:
        devl_params_unregister(priv_to_devlink(dev), mlx5_eswitch_params,
                               ARRAY_SIZE(mlx5_eswitch_params));
+free_esw:
+       kfree(esw);
        return err;
 }
 
@@ -1848,9 +1846,9 @@ void mlx5_eswitch_cleanup(struct mlx5_eswitch *esw)
        esw_offloads_cleanup(esw);
        mlx5_esw_vports_cleanup(esw);
        debugfs_remove_recursive(esw->debugfs_root);
-       kfree(esw);
        devl_params_unregister(priv_to_devlink(esw->dev), mlx5_eswitch_params,
                               ARRAY_SIZE(mlx5_eswitch_params));
+       kfree(esw);
 }
 
 /* Vport Administration */