Received: by 2002:a25:7ec1:0:0:0:0:0 with SMTP id z184csp7908469ybc; Fri, 29 Nov 2019 03:02:11 -0800 (PST) X-Google-Smtp-Source: APXvYqywzqg7QGmBDbQQd8A8zFSNulR4E9yL9qNaq0IZPcKPzW6FCL2p4nGyriC/pTi6eRWGlJzn X-Received: by 2002:a0c:c481:: with SMTP id u1mr16477609qvi.17.1575025330993; Fri, 29 Nov 2019 03:02:10 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1575025330; cv=none; d=google.com; s=arc-20160816; b=YmEqLjKTzDM8TvISlIfJ6uohZgEMneC5xstdXgIbd8ORMc09aENqivhQmv6yQNYYSG p7M6Mog1LpHefGfGGTzrQDA6eKRwwFHngzprFKN7raH3PW1yWPbODhthkfZZEM1uJ9fe vF36csV7bmPjzf55ba3+rt2nMKv4KBbNE62O/9JWsAj75Xh3APySRefN2iHP7BnSGAdO X3J2VAcvztr6giv1ucLcGx+6AwZfkXs3Tu7pc5BwHV51wNFz0mpwTXeONYjWB64JJZ2T uldk4EhDXiy91ATAabmzpnQtBTaaP3rufWpPc4G4paV1kFQ1bwixm64rlio44COWFKxq Kjqg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=wNVSA7EVa6PjCyM9Rq4/NoJUxN4uHN/TTRHiNuYHnZ0=; b=u94moxuoeKpP2KqKzy0t3NVp5k9PlRt1k3C3LAdfeBbbxTS9nizpPJk0InSmYBCZ8Q i2lVvQdieEgd+Fal3qsul8gFm2wbD1fc2bMZuA/mfTvMBzm/CQv9FweGqdILuLhmGBD8 pnBaQU2zxXacwDDITISFET9y5obhyWUHshxAfSuNRKswdY+NgVxMkCN2W4bbFV/UuueB tEo85DO9272Y0mkn4kh8DRiDRwi8f7rom0oSH8cDSKwj8LSKScPZ7/qYcydmEwuzU0AB jjseNT8F+jLzdHAVCzZayvcs4QthUL+Lx0YdERvRm/BgcPodU39HsjbvXECODynHbrlr 3GWQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id co5si16659967edb.203.2019.11.29.03.01.46; Fri, 29 Nov 2019 03:02:10 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726789AbfK2LAO (ORCPT + 99 others); Fri, 29 Nov 2019 06:00:14 -0500 Received: from jabberwock.ucw.cz ([46.255.230.98]:39124 "EHLO jabberwock.ucw.cz" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725892AbfK2LAO (ORCPT ); Fri, 29 Nov 2019 06:00:14 -0500 Received: by jabberwock.ucw.cz (Postfix, from userid 1017) id D6B2D1C2447; Fri, 29 Nov 2019 12:00:11 +0100 (CET) Date: Fri, 29 Nov 2019 12:00:10 +0100 From: Pavel Machek To: Greg Kroah-Hartman Cc: linux-kernel@vger.kernel.org, stable@vger.kernel.org, Huazhong Tan , "David S. Miller" , Sasha Levin Subject: Re: [PATCH 4.19 185/306] net: hns3: bugfix for buffer not free problem during resetting Message-ID: <20191129110010.GA4313@amd> References: <20191127203114.766709977@linuxfoundation.org> <20191127203128.798931840@linuxfoundation.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="2oS5YaxWCcQjTEyO" Content-Disposition: inline In-Reply-To: <20191127203128.798931840@linuxfoundation.org> User-Agent: Mutt/1.5.23 (2014-03-12) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --2oS5YaxWCcQjTEyO Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi! > From: Huazhong Tan >=20 > [ Upstream commit 73b907a083b8a8c1c62cb494bc9fbe6ae086c460 ] >=20 > When hns3_get_ring_config()/hns3_queue_to_ring()/ > hns3_get_vector_ring_chain() failed during resetting, the allocated > memory has not been freed before these three functions return. So > this patch adds error handler in these functions to fix it. Correct me if I'm wrong, but... this introduces use-after-free: > @@ -2592,6 +2592,16 @@ static int hns3_get_vector_ring_chain(struct hns3_= enet_tqp_vector *tqp_vector, > } > =20 > return 0; > + > +err_free_chain: > + cur_chain =3D head->next; > + while (cur_chain) { > + chain =3D cur_chain->next; > + devm_kfree(&pdev->dev, chain); > + cur_chain =3D chain; > + } Lets take two iterations: > + chain =3D cur_chain->next; > + devm_kfree(&pdev->dev, chain); chain freed here. > + cur_chain =3D chain; > + chain =3D cur_chain->next; chain->next accessed here, after free. > + devm_kfree(&pdev->dev, chain); > + cur_chain =3D chain; Should it do devm_kfree(&pdev->dev, cur_chain); ? Best regards, Pavel --=20 (english) http://www.livejournal.com/~pavelmachek (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blo= g.html --2oS5YaxWCcQjTEyO Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAl3g+joACgkQMOfwapXb+vKenQCfTrBeE4pjN7Dk60GFjHV55jJy UOQAoKwtAbKijIuOZrZqMtJuB7wEO2t/ =lQXL -----END PGP SIGNATURE----- --2oS5YaxWCcQjTEyO--