Received: by 2002:a25:7ec1:0:0:0:0:0 with SMTP id z184csp8169225ybc; Fri, 29 Nov 2019 06:32:37 -0800 (PST) X-Google-Smtp-Source: APXvYqxCUkF0Uxxy3Cy10DUVkNykJLEWAtA+ajnlaUit3Pihc+9o1lIaC/t+2BIN40KoszqLpvE7 X-Received: by 2002:a37:8b06:: with SMTP id n6mr15214371qkd.263.1575037957045; Fri, 29 Nov 2019 06:32:37 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1575037956; cv=none; d=google.com; s=arc-20160816; b=QpNDQNO+oz9sn6p3KSuOnannKHSyBNnbrh51SC615pHJRxoB+OpzN6tB7jkU1dhZxP meDao5+8dALw4cy46+qhCz+UORLDkMx4sEOyv7Q5Sx+gT/xSYtHxmnnFuswaZoGn2JiP oBQ2TUplg67UE3229ZTjQQzSd1sK7cceULzgtl6GxM2cLo5jRii9lwJZhpew9kbMqbr6 ScVuT+n9ONUhdoxwZS24gKI/3C/7YzEb+Uc3MVYL+c2GxtKhJyvOzFAG4/aCbgKJ/Lm7 L/czdYd+q2PsDWwYKGgXJLgcZ7u8VmWvZTrSJVghubmeLCkUWMxIN29XFQzMyd8axHYJ h5XA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=mtkAEy2uIq7Cga7tQjsAbCGxoVIyOYngZOuAzJIUSN4=; b=WAYlmddEl5c1r60yDJhEkB/jlBOhp+lLcYwrbUIjpr+sbs+0KpkE0wndSPkVh6UBoZ Xi6kUqib2JTOw50IcibSda1WC14oqHs7OCadaeBCBDMf4yLDCLUWU1wL4Rv7eGrsU8cZ 9u3Dn25StW88IwlgFgLrvgIOkLVlfhPZpK70UAMoGJ1V+TRl5Y5QewJi19Mu914U2mP7 6mc2iyb2ctdplNHG1ceXO3ZGCswcUSrocb+WLK5bBn6QcuVOfjECyqAF9Tf/bQtPruDL Wh56TCxJrV/oKdhTAXAQLutnF20kXEuVhHOHuaWKFWk1oWnzc5zuZzTZni76g9KD62lw 6YHA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=i2IJsT1i; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d6si14256714edo.349.2019.11.29.06.32.09; Fri, 29 Nov 2019 06:32:36 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=i2IJsT1i; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726897AbfK2ObN (ORCPT + 99 others); Fri, 29 Nov 2019 09:31:13 -0500 Received: from mail.kernel.org ([198.145.29.99]:56062 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726808AbfK2ObM (ORCPT ); Fri, 29 Nov 2019 09:31:12 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id F104B21736; Fri, 29 Nov 2019 14:31:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1575037870; bh=ysU6Uvk9pdWPHQ/cwCM/Ngg0+69Q8qgputUIYrAH7Wo=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=i2IJsT1ihvKIL3Kqavfsq8w03kPgzni7rgCWNxHl3r9fXueYHh2IivV7uUdF7o/vO JQDuZo1GgwA0JwMII2VOUUvMmH+u758MLGh02T9fpTQiL9jO91Qpf5YxUbIJJL4o1z TbucC0ZtByJ3k4Fx9CAdC8dag4wOc+hMfDL4aAbE= Date: Fri, 29 Nov 2019 15:31:08 +0100 From: Greg Kroah-Hartman To: Pavel Machek Cc: linux-kernel@vger.kernel.org, stable@vger.kernel.org, Huazhong Tan , "David S. Miller" , Sasha Levin Subject: Re: [PATCH 4.19 185/306] net: hns3: bugfix for buffer not free problem during resetting Message-ID: <20191129143108.GA3708972@kroah.com> References: <20191127203114.766709977@linuxfoundation.org> <20191127203128.798931840@linuxfoundation.org> <20191129110010.GA4313@amd> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20191129110010.GA4313@amd> User-Agent: Mutt/1.12.2 (2019-09-21) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Nov 29, 2019 at 12:00:10PM +0100, Pavel Machek wrote: > Hi! > > > From: Huazhong Tan > > > > [ Upstream commit 73b907a083b8a8c1c62cb494bc9fbe6ae086c460 ] > > > > When hns3_get_ring_config()/hns3_queue_to_ring()/ > > hns3_get_vector_ring_chain() failed during resetting, the allocated > > memory has not been freed before these three functions return. So > > this patch adds error handler in these functions to fix it. > > Correct me if I'm wrong, but... this introduces use-after-free: > > > @@ -2592,6 +2592,16 @@ static int hns3_get_vector_ring_chain(struct hns3_enet_tqp_vector *tqp_vector, > > } > > > > return 0; > > + > > +err_free_chain: > > + cur_chain = head->next; > > + while (cur_chain) { > > + chain = cur_chain->next; > > + devm_kfree(&pdev->dev, chain); > > + cur_chain = chain; > > + } > > Lets take two iterations: > > > + chain = cur_chain->next; > > + devm_kfree(&pdev->dev, chain); > chain freed here. > > + cur_chain = chain; > > > + chain = cur_chain->next; > chain->next accessed here, after free. > > + devm_kfree(&pdev->dev, chain); > > + cur_chain = chain; > > Should it do devm_kfree(&pdev->dev, cur_chain); ? I think Sasha tried to backport a fix for this patch, but that fix broke the build :( If you want to provide a working backport, I'll be glad to take it. thanks, greg k-h