Re: [PATCH 4.19 185/306] net: hns3: bugfix for buffer not free problem during resetting

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Nov 29, 2019 at 12:00:10PM +0100, Pavel Machek wrote:
> Hi!
> 
> > From: Huazhong Tan <tanhuazhong@xxxxxxxxxx>
> > 
> > [ Upstream commit 73b907a083b8a8c1c62cb494bc9fbe6ae086c460 ]
> > 
> > When hns3_get_ring_config()/hns3_queue_to_ring()/
> > hns3_get_vector_ring_chain() failed during resetting, the allocated
> > memory has not been freed before these three functions return. So
> > this patch adds error handler in these functions to fix it.
> 
> Correct me if I'm wrong, but... this introduces use-after-free:
> 
> > @@ -2592,6 +2592,16 @@ static int hns3_get_vector_ring_chain(struct hns3_enet_tqp_vector *tqp_vector,
> >  	}
> >  
> >  	return 0;
> > +
> > +err_free_chain:
> > +	cur_chain = head->next;
> > +	while (cur_chain) {
> > +		chain = cur_chain->next;
> > +		devm_kfree(&pdev->dev, chain);
> > +		cur_chain = chain;
> > +	}
> 
> Lets take two iterations:
> 
> > +		chain = cur_chain->next;
> > +		devm_kfree(&pdev->dev, chain);
> chain freed here.
> > +		cur_chain = chain;
> 
> > +		chain = cur_chain->next;
> chain->next accessed here, after free.
> > +		devm_kfree(&pdev->dev, chain);
> > +		cur_chain = chain;
> 
> Should it do devm_kfree(&pdev->dev, cur_chain); ?

I think Sasha tried to backport a fix for this patch, but that fix broke
the build :(

If you want to provide a working backport, I'll be glad to take it.

thanks,

greg k-h



[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux