octeontx2-af: Fix access of iter->entry after iter object has been kfree'd

The call to pc_delete_flow can kfree the iter object, so the following
dev_err message that accesses iter->entry can accessmemory that has
just been kfree'd.  Fix this by adding a temporary variable 'entry'
that has a copy of iter->entry and also use this when indexing into
the array mcam->entry2target_pffunc[]. Also print the unsigned value
using the %u format specifier rather than %d.

Addresses-Coverity: ("Read from pointer after free")
Fixes: 55307fcb9258 ("octeontx2-af: Add mbox messages to install and delete MCAM rules")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Link: https://lore.kernel.org/r/20201118143803.463297-1-colin.king@canonical.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

1 files changed, 5 insertions, 3 deletions

diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc_fs.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc_fs.c
index 4ddfdff33a61..14832b66d1fe 100644
--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc_fs.c
+++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc_fs.c
@@ -1218,11 +1218,13 @@ int rvu_mbox_handler_npc_delete_flow(struct rvu *rvu,
 	mutex_unlock(&mcam->lock);
 
 	list_for_each_entry_safe(iter, tmp, &del_list, list) {
+		u16 entry = iter->entry;
+
 		/* clear the mcam entry target pcifunc */
-		mcam->entry2target_pffunc[iter->entry] = 0x0;
+		mcam->entry2target_pffunc[entry] = 0x0;
 		if (npc_delete_flow(rvu, iter, pcifunc))
-			dev_err(rvu->dev, "rule deletion failed for entry:%d",
-				iter->entry);
+			dev_err(rvu->dev, "rule deletion failed for entry:%u",
+				entry);
 	}
 
 	return 0;