On Fri, Nov 29, 2019 at 12:00:10PM +0100, Pavel Machek wrote:
> Hi!
>
> > From: Huazhong Tan <tanhuazhong@xxxxxxxxxx>
> >
> > [ Upstream commit 73b907a083b8a8c1c62cb494bc9fbe6ae086c460 ]
> >
> > When hns3_get_ring_config()/hns3_queue_to_ring()/
> > hns3_get_vector_ring_chain() failed during resetting, the allocated
> > memory has not been freed before these three functions return. So
> > this patch adds error handler in these functions to fix it.
>
> Correct me if I'm wrong, but... this introduces use-after-free:
>
> > @@ -2592,6 +2592,16 @@ static int hns3_get_vector_ring_chain(struct hns3_enet_tqp_vector *tqp_vector,
> > }
> >
> > return 0;
> > +
> > +err_free_chain:
> > + cur_chain = head->next;
> > + while (cur_chain) {
> > + chain = cur_chain->next;
> > + devm_kfree(&pdev->dev, chain);
> > + cur_chain = chain;
> > + }
>
> Lets take two iterations:
>
> > + chain = cur_chain->next;
> > + devm_kfree(&pdev->dev, chain);
> chain freed here.
> > + cur_chain = chain;
>
> > + chain = cur_chain->next;
> chain->next accessed here, after free.
> > + devm_kfree(&pdev->dev, chain);
> > + cur_chain = chain;
>
> Should it do devm_kfree(&pdev->dev, cur_chain); ?
I think Sasha tried to backport a fix for this patch, but that fix broke
the build :(
If you want to provide a working backport, I'll be glad to take it.
thanks,
greg k-h
