c748c358de
[ Upstream commit d5a306aedba34e640b11d7026dbbafb78ee3a5f6 ]
In efx_probe_filters, the channel->rps_flow_id is freed in a
efx_for_each_channel marco when success equals to 0.
However, after the following call chain:
ef100_net_open
|-> efx_probe_filters
|-> ef100_net_stop
|-> efx_remove_filters
The channel->rps_flow_id is freed again in the efx_for_each_channel of
efx_remove_filters, triggering a double-free bug.
Fixes:
|
||
|---|---|---|
| .. | ||
| falcon | ||
| Kconfig | ||
| Makefile | ||
| bitfield.h | ||
| ef10.c | ||
| ef10_regs.h | ||
| ef10_sriov.c | ||
| ef10_sriov.h | ||
| ef100.c | ||
| ef100.h | ||
| ef100_ethtool.c | ||
| ef100_ethtool.h | ||
| ef100_netdev.c | ||
| ef100_netdev.h | ||
| ef100_nic.c | ||
| ef100_nic.h | ||
| ef100_regs.h | ||
| ef100_rx.c | ||
| ef100_rx.h | ||
| ef100_tx.c | ||
| ef100_tx.h | ||
| efx.c | ||
| efx.h | ||
| efx_channels.c | ||
| efx_channels.h | ||
| efx_common.c | ||
| efx_common.h | ||
| enum.h | ||
| ethtool.c | ||
| ethtool_common.c | ||
| ethtool_common.h | ||
| farch.c | ||
| farch_regs.h | ||
| filter.h | ||
| io.h | ||
| mcdi.c | ||
| mcdi.h | ||
| mcdi_filters.c | ||
| mcdi_filters.h | ||
| mcdi_functions.c | ||
| mcdi_functions.h | ||
| mcdi_mon.c | ||
| mcdi_pcol.h | ||
| mcdi_port.c | ||
| mcdi_port.h | ||
| mcdi_port_common.c | ||
| mcdi_port_common.h | ||
| mtd.c | ||
| net_driver.h | ||
| nic.c | ||
| nic.h | ||
| nic_common.h | ||
| ptp.c | ||
| ptp.h | ||
| rx.c | ||
| rx_common.c | ||
| rx_common.h | ||
| selftest.c | ||
| selftest.h | ||
| siena.c | ||
| siena_sriov.c | ||
| siena_sriov.h | ||
| sriov.c | ||
| sriov.h | ||
| tx.c | ||
| tx.h | ||
| tx_common.c | ||
| tx_common.h | ||
| tx_tso.c | ||
| vfdi.h | ||
| workarounds.h | ||