RE: [PATCH v2] nfp: fix use-after-free in area_cache_get()
From: Yinjun Zhang
Date: Wed Aug 10 2022 - 00:45:09 EST
On Wed, 10 Aug 2022 12:04:45 +0800 Jialiang Wang wrote:
> diff --git a/drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c
> b/drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c
> index 34c0d2ddf9ef..a83b8ee49062 100644
> --- a/drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c
> +++ b/drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c
> @@ -873,10 +873,6 @@ area_cache_get(struct nfp_cpp *cpp, u32 id,
> cache->addr = 0;
> }
>
> - /* Adjust the start address to be cache size aligned */
> - cache->id = id;
> - cache->addr = addr & ~(u64)(cache->size - 1);
> -
> /* Re-init to the new ID and address */
> if (cpp->op->area_init) {
> err = cpp->op->area_init(cache->area,
> @@ -894,6 +890,10 @@ area_cache_get(struct nfp_cpp *cpp, u32 id,
> return NULL;
> }
>
> + /* Adjust the start address to be cache size aligned */
> + cache->id = id;
> + cache->addr = addr & ~(u64)(cache->size - 1);
`cache->addr` is used in `area_init`, so it should be set in advance.
> +
> exit:
> /* Adjust offset */
> *offset = addr - cache->addr;
> --
> 2.17.1