Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp4269863pxb; Mon, 1 Feb 2021 17:51:39 -0800 (PST) X-Google-Smtp-Source: ABdhPJwnxcOPebvccrz3l8us0BjSG01Jh5VHhkBuarnDUt8n4grHnsZ1NQiA01gTEUlpu5SST06B X-Received: by 2002:a17:906:3e14:: with SMTP id k20mr4239478eji.42.1612230699772; Mon, 01 Feb 2021 17:51:39 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1612230699; cv=none; d=google.com; s=arc-20160816; b=h8hw+E8+lEO2urDSQlwZhgwGzSJcU4h1eF88KBae53HtjimrXPH+3JnYWrldZukGbt NpIrygXOjmJWGLM+o1zDssXtnKAAJ7qImWN5+mrrwGm8iT13GL166YWFWQqfX/ThCdvu ZPF6/eQ1XGwsj+Xu+Sd2XXi5lKGwvnNWC2vGG4b7Y6APGR/ndVi7dHqZi6TdsUQlQ9lv 1kV/rChEka80slbejeGJihvzavOLIfCnsGeviI2UJiWkW0yYps3vYfA2guguBcXgN06E g1moc6SYg4kMmgRp+MjbKCDQksg3UkLk5C6YNkrI4WuP219sPYwSe6u2DJmUjdSBexDS SZqQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject; bh=mSdE0uq0t59gvQk7qr7YDPHVasEA8BzSQSC0/BdtpLQ=; b=cKm4xiN7RjaCOG+j5H9dfAg+lF96RsbpwPiyEzq3fxIzTv3wRQXH4xHk8+EN+KC4+b tWFm7qow/B9zTcjeHqJ7z6T1snu7PFFQiUVOjpTT/nZ3q2Svd0rgct1Pceeps5/BRZKS 4DC9WOCpLAlY87e4F3r0flgzs4YXTZktF7cGLiShJJmdGpUAZNuFj3dD9SVpdOoLYT1/ clBQsmLSRG/lyjKOmHGjhWanSMid5Dxpup+VQ0a57F5rX1iGPcmwSRlzrn8PcROIzYer GqMSArm3tHAjnXRfonU/LRV4a3As6RlnOCehpxUobgC2AFmb/Lq6a7TFwjysOGfF/AmI 0GaA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id cm5si4582107edb.479.2021.02.01.17.51.15; Mon, 01 Feb 2021 17:51:39 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231278AbhBBBs7 (ORCPT + 99 others); Mon, 1 Feb 2021 20:48:59 -0500 Received: from out30-130.freemail.mail.aliyun.com ([115.124.30.130]:40451 "EHLO out30-130.freemail.mail.aliyun.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229852AbhBBBs5 (ORCPT ); Mon, 1 Feb 2021 20:48:57 -0500 X-Alimail-AntiSpam: AC=PASS;BC=-1|-1;BR=01201311R821e4;CH=green;DM=||false|;DS=||;FP=0|-1|-1|-1|0|-1|-1|-1;HT=e01e04400;MF=joseph.qi@linux.alibaba.com;NM=1;PH=DS;RN=10;SR=0;TI=SMTPD_---0UNd8U2r_1612230491; Received: from B-D1K7ML85-0059.local(mailfrom:joseph.qi@linux.alibaba.com fp:SMTPD_---0UNd8U2r_1612230491) by smtp.aliyun-inc.com(127.0.0.1); Tue, 02 Feb 2021 09:48:12 +0800 Subject: Re: [PATCH] ocfs2: Fix a use after free on error To: Dan Carpenter , Mark Fasheh , Jiri Slaby Cc: Joel Becker , Andrew Morton , Alex Shi , Jens Axboe , ocfs2-devel@oss.oracle.com, linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org References: From: Joseph Qi Message-ID: <2809e2b1-fcb4-bd91-d855-9812ede19447@linux.alibaba.com> Date: Tue, 2 Feb 2021 09:48:11 +0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.7.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2/1/21 8:25 PM, Dan Carpenter wrote: > The error handling in this function frees "reg" but it is still on the > "o2hb_all_regions" list so it will lead to a use after free. The fix > for this is to only add it to the list after everything has succeeded. > Seems we have to clear the bitmap as well in error case. So how about add a new error label and handle them both? Thanks, Joseph > Fixes: 1cf257f51191 ("ocfs2: fix memory leak") > Signed-off-by: Dan Carpenter > --- > This is from static analysis and hasn't been tested. > > fs/ocfs2/cluster/heartbeat.c | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > > diff --git a/fs/ocfs2/cluster/heartbeat.c b/fs/ocfs2/cluster/heartbeat.c > index 0179a73a3fa2..92af4dc813e7 100644 > --- a/fs/ocfs2/cluster/heartbeat.c > +++ b/fs/ocfs2/cluster/heartbeat.c > @@ -2025,7 +2025,6 @@ static struct config_item *o2hb_heartbeat_group_make_item(struct config_group *g > } > set_bit(reg->hr_region_num, o2hb_region_bitmap); > } > - list_add_tail(®->hr_all_item, &o2hb_all_regions); > spin_unlock(&o2hb_live_lock); > > config_item_init_type_name(®->hr_item, name, &o2hb_region_type); > @@ -2053,6 +2052,10 @@ static struct config_item *o2hb_heartbeat_group_make_item(struct config_group *g > > o2hb_debug_region_init(reg, o2hb_debug_dir); > > + spin_lock(&o2hb_live_lock); > + list_add_tail(®->hr_all_item, &o2hb_all_regions); > + spin_unlock(&o2hb_live_lock); > + > return ®->hr_item; > > unregister_handler: >