Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp603028ybl;
        Tue, 7 Jan 2020 11:42:56 -0800 (PST)
X-Google-Smtp-Source: APXvYqwpiRv7aVQsyRWncIS7xddgQ9qLGgM6dF6wW9DQtczcPXXKbYns6yDLzCMP3pRkQqk/hqCb
X-Received: by 2002:a05:6830:151a:: with SMTP id k26mr1520827otp.74.1578426176027;
        Tue, 07 Jan 2020 11:42:56 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1578426176; cv=none;
        d=google.com; s=arc-20160816;
        b=pjolliVY4Jyd3JDTYFn6n3iZnObe2e9Gz2dIJD87cRQ/KC92sEqWjtXEHKk8fm9FEe
         UxxG3t84FXDdfGio8aybFK0k/JScl7jikoto029cUp0Q7YUNl2hpO45N9kX16ssxa2bN
         qWPRIYU92HjDFdRrChZUg5xXMOxk9A74D69pK4VUKt06Gl1jctlp+ioPN97Z+TqpICbi
         H0N30BB2z4A0yCyzF+GcYVj3C08KZhaldf/dZLpb6EbnaLiV+G7H/byq7Jx25I0xo3tA
         d9yfV0t50Ypo+EWkf4zJWK1JRhQa+TSogk2n5SxVjYHLWdDiHJiXnb3BlbtytkbtXgYu
         rFxg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:message-id:references
         :in-reply-to:subject:cc:to:from:date:content-transfer-encoding
         :mime-version;
        bh=9XMTlT/TQhfW7P3cu4LqN1DK2Kz2hUbaZ+JwLzbLDqo=;
        b=I1H4lHyB7CquwoUYZ7nxJxj11+4sdeeJ77El/GdTeeTMvCLXoQfmQn41LZ9azMMKgx
         fqiV8jemCEjjJROiTHUUQTClxDcufkcSY6Lt0vvBgN6r/Td+FQ6FHg+jF/+15rZh/5b4
         wdNkgFk895aYXmC3kTze+W79SKZAOfAJMSXwZCMZIY2VJiW9nzrn8mRcgHNQas4bqC/H
         tHoduNGuIZmoilfhNx8nrn6A1vqQF4ExZXt842yxkbajBHR2qvuitqlBRku7LxLiKKY4
         u/AR/RhJlQQeNDZ7p5gJdE5ujIfvlRnyhlO1C5im3JnlS2fTpMarhCTf9i1i8rXbR7/y
         EBqw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id n14si393941otk.179.2020.01.07.11.42.43;
        Tue, 07 Jan 2020 11:42:56 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728457AbgAGTlC (ORCPT <rfc822;gasparwang.pro@gmail.com>
        + 99 others); Tue, 7 Jan 2020 14:41:02 -0500
Received: from relay4-d.mail.gandi.net ([217.70.183.196]:49401 "EHLO
        relay4-d.mail.gandi.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1728358AbgAGTlB (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 7 Jan 2020 14:41:01 -0500
Received: from webmail.gandi.net (webmail19.sd4.0x35.net [10.200.201.19])
        (Authenticated sender: cengiz@kernel.wtf)
        by relay4-d.mail.gandi.net (Postfix) with ESMTPA id D2373E0007;
        Tue,  7 Jan 2020 19:40:58 +0000 (UTC)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII;
 format=flowed
Content-Transfer-Encoding: 7bit
Date:   Tue, 07 Jan 2020 22:40:58 +0300
From:   Cengiz Can <cengiz@kernel.wtf>
To:     Kees Cook <keescook@chromium.org>
Cc:     linux-kernel@vger.kernel.org, Anton Vorontsov <anton@enomsg.org>,
        Colin Cross <ccross@android.com>,
        Tony Luck <tony.luck@intel.com>
Subject: Re: [PATCH] fs: pstore: fix double-free on ramoops_init_przs
In-Reply-To: <202001071002.A236EBCA0@keescook>
References: <20200107110445.162404-1-cengiz@kernel.wtf>
 <202001071002.A236EBCA0@keescook>
Message-ID: <d4ec59002ede4aaf9928c7f7526da87c@kernel.wtf>
X-Sender: cengiz@kernel.wtf
User-Agent: Roundcube Webmail/1.3.8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hello Kees!

It's a pleasure to hear from you!

On 2020-01-07 21:05, Kees Cook wrote:
> 
> I think this is a false positive (have you actually hit the
> double-free?). The logic in this area is:

No I did not actually hit the double-free. I'm just following
the indicators from static analyzer.

> nothing was freeing the label on the failed prz, but all the other prz
> labels were free (i.e. there is a "i--" that skips the failed prz
> alloc).

I have noticed that. Thanks for clearing it up though.

The `kfree` I was referring to is in `err:` label of function
`persistent_ram_new` in `ram_core.c#595` of `for-next/pstore` tree:

https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/tree/fs/pstore/ram_core.c?h=for-next/pstore#n595

Here are the relevant bits:

```
struct persistent_ram_zone *persistent_ram_new(phys_addr_t start, size_t 
size,
			u32 sig, struct persistent_ram_ecc_info *ecc_info,
			unsigned int memtype, u32 flags, char *label)
{
	/* ... */
	/* ... */
	/* ... */
	return prz;
err:
	persistent_ram_free(prz); /* <----- */
	return ERR_PTR(ret);
}
```

So, to my understanding, if our `persistent_ram_new` call in `ram.c#583`
fails, it already does clean up the `label` pointer in itself and 
returns
an ERR_PTR back to us and our skipping logic does its job.

I might be missing something but it seems so.

Thank you for looking into this.

-- 
Cengiz Can
@cengiz_io