Received: by 2002:a25:7ec1:0:0:0:0:0 with SMTP id z184csp7908469ybc;
        Fri, 29 Nov 2019 03:02:11 -0800 (PST)
X-Google-Smtp-Source: APXvYqywzqg7QGmBDbQQd8A8zFSNulR4E9yL9qNaq0IZPcKPzW6FCL2p4nGyriC/pTi6eRWGlJzn
X-Received: by 2002:a0c:c481:: with SMTP id u1mr16477609qvi.17.1575025330993;
        Fri, 29 Nov 2019 03:02:10 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1575025330; cv=none;
        d=google.com; s=arc-20160816;
        b=YmEqLjKTzDM8TvISlIfJ6uohZgEMneC5xstdXgIbd8ORMc09aENqivhQmv6yQNYYSG
         p7M6Mog1LpHefGfGGTzrQDA6eKRwwFHngzprFKN7raH3PW1yWPbODhthkfZZEM1uJ9fe
         vF36csV7bmPjzf55ba3+rt2nMKv4KBbNE62O/9JWsAj75Xh3APySRefN2iHP7BnSGAdO
         X3J2VAcvztr6giv1ucLcGx+6AwZfkXs3Tu7pc5BwHV51wNFz0mpwTXeONYjWB64JJZ2T
         uldk4EhDXiy91ATAabmzpnQtBTaaP3rufWpPc4G4paV1kFQ1bwixm64rlio44COWFKxq
         Kjqg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date;
        bh=wNVSA7EVa6PjCyM9Rq4/NoJUxN4uHN/TTRHiNuYHnZ0=;
        b=u94moxuoeKpP2KqKzy0t3NVp5k9PlRt1k3C3LAdfeBbbxTS9nizpPJk0InSmYBCZ8Q
         i2lVvQdieEgd+Fal3qsul8gFm2wbD1fc2bMZuA/mfTvMBzm/CQv9FweGqdILuLhmGBD8
         pnBaQU2zxXacwDDITISFET9y5obhyWUHshxAfSuNRKswdY+NgVxMkCN2W4bbFV/UuueB
         tEo85DO9272Y0mkn4kh8DRiDRwi8f7rom0oSH8cDSKwj8LSKScPZ7/qYcydmEwuzU0AB
         jjseNT8F+jLzdHAVCzZayvcs4QthUL+Lx0YdERvRm/BgcPodU39HsjbvXECODynHbrlr
         3GWQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id co5si16659967edb.203.2019.11.29.03.01.46;
        Fri, 29 Nov 2019 03:02:10 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726789AbfK2LAO (ORCPT <rfc822;epopevad@gmail.com> + 99 others);
        Fri, 29 Nov 2019 06:00:14 -0500
Received: from jabberwock.ucw.cz ([46.255.230.98]:39124 "EHLO
        jabberwock.ucw.cz" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1725892AbfK2LAO (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 29 Nov 2019 06:00:14 -0500
Received: by jabberwock.ucw.cz (Postfix, from userid 1017)
        id D6B2D1C2447; Fri, 29 Nov 2019 12:00:11 +0100 (CET)
Date:   Fri, 29 Nov 2019 12:00:10 +0100
From:   Pavel Machek <pavel@denx.de>
To:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc:     linux-kernel@vger.kernel.org, stable@vger.kernel.org,
        Huazhong Tan <tanhuazhong@huawei.com>,
        "David S. Miller" <davem@davemloft.net>,
        Sasha Levin <sashal@kernel.org>
Subject: Re: [PATCH 4.19 185/306] net: hns3: bugfix for buffer not free
 problem during resetting
Message-ID: <20191129110010.GA4313@amd>
References: <20191127203114.766709977@linuxfoundation.org>
 <20191127203128.798931840@linuxfoundation.org>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
        protocol="application/pgp-signature"; boundary="2oS5YaxWCcQjTEyO"
Content-Disposition: inline
In-Reply-To: <20191127203128.798931840@linuxfoundation.org>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org


--2oS5YaxWCcQjTEyO
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi!

> From: Huazhong Tan <tanhuazhong@huawei.com>
>=20
> [ Upstream commit 73b907a083b8a8c1c62cb494bc9fbe6ae086c460 ]
>=20
> When hns3_get_ring_config()/hns3_queue_to_ring()/
> hns3_get_vector_ring_chain() failed during resetting, the allocated
> memory has not been freed before these three functions return. So
> this patch adds error handler in these functions to fix it.

Correct me if I'm wrong, but... this introduces use-after-free:

> @@ -2592,6 +2592,16 @@ static int hns3_get_vector_ring_chain(struct hns3_=
enet_tqp_vector *tqp_vector,
>  	}
> =20
>  	return 0;
> +
> +err_free_chain:
> +	cur_chain =3D head->next;
> +	while (cur_chain) {
> +		chain =3D cur_chain->next;
> +		devm_kfree(&pdev->dev, chain);
> +		cur_chain =3D chain;
> +	}

Lets take two iterations:

> +		chain =3D cur_chain->next;
> +		devm_kfree(&pdev->dev, chain);
chain freed here.
> +		cur_chain =3D chain;

> +		chain =3D cur_chain->next;
chain->next accessed here, after free.
> +		devm_kfree(&pdev->dev, chain);
> +		cur_chain =3D chain;

Should it do devm_kfree(&pdev->dev, cur_chain); ?

Best regards,
									Pavel

--=20
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blo=
g.html

--2oS5YaxWCcQjTEyO
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAl3g+joACgkQMOfwapXb+vKenQCfTrBeE4pjN7Dk60GFjHV55jJy
UOQAoKwtAbKijIuOZrZqMtJuB7wEO2t/
=lQXL
-----END PGP SIGNATURE-----

--2oS5YaxWCcQjTEyO--