Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp222237pxb;
        Tue, 2 Feb 2021 03:37:23 -0800 (PST)
X-Google-Smtp-Source: ABdhPJyebPhm0CZnfY3wkM2KyyrxM7Pr28fVA/JKKo8KjduDb0oOiOY2VIW/GC6jqtpMBgqwXbEv
X-Received: by 2002:aa7:da55:: with SMTP id w21mr5216937eds.138.1612265843355;
        Tue, 02 Feb 2021 03:37:23 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1612265843; cv=none;
        d=google.com; s=arc-20160816;
        b=Ib5DUragFZxZnzIdTsLS3ucJShyz5bIiAX/LbzsET/+JHabh/LTBf0H2dAhMB4H8HA
         QNXOn/2kYyW067tIi0bebS3E7n4eRslNH5OdDhetz7wCawEAJ+UPofQe1OJqkAyLYpp7
         vUI5QYsLdNQteOhK/GZG21kyVmMW7ObQ/HO1s/FQCnu/9ECkWilqCO7I2k+aw0tQyn0f
         Oq/alSMZVyMHeJgE7AbmgSdPUpCKpus49o5X0gqewMCqMMM4Z2nL3J9iKS9VKhaoUk/c
         Dmxk2eZk2Y5b9dbvy1ajoN/nf8Vyv2ceWDO9INxeOjjVUEMCkTDBBMxPaG+ugP6K6WXM
         l71A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-disposition:mime-version:message-id
         :subject:cc:to:from:date:dkim-signature;
        bh=D3tgOWXZwM2v+gsQnYFE/CSbnZRad1II9wbsUKgMXJQ=;
        b=pEp267R7Nwz5OWiA1BsbO+J/9EzRAB2mSB61hf5xcX5d4wZreOVAAg9ysIxDVoeli6
         ZQKAXMhkfsuWgF1xgkHk1qLhCib9cu/oa4ka97YFAmvMVLrkw+h7iFjATQffxca7osd1
         XJREFjQfFGjAP/kAgmEw+FhSiSLTrY+9G/Hmimu8mjGVRtx1jaVSa711X7lm5wb2uD1x
         pRltAUgfbu3SP91zdNKZZA3PKOdnvciAYpUST9g76kZNMpY/ELU15gBJnFuSnFN65l6F
         xB7D+k+wp2gj76MqM6Mirkfs+9lI5+aUEGdSfL9mBQAdMOyL79hfzFCsCGQ7lnqR59rL
         q2lw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@oracle.com header.s=corp-2020-01-29 header.b=h69AzxXF;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id z21si14200285edi.577.2021.02.02.03.36.58;
        Tue, 02 Feb 2021 03:37:23 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@oracle.com header.s=corp-2020-01-29 header.b=h69AzxXF;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231312AbhBBLfV (ORCPT <rfc822;lkml.akiyano@gmail.com>
        + 99 others); Tue, 2 Feb 2021 06:35:21 -0500
Received: from aserp2130.oracle.com ([141.146.126.79]:47812 "EHLO
        aserp2130.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231343AbhBBLdV (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 2 Feb 2021 06:33:21 -0500
Received: from pps.filterd (aserp2130.oracle.com [127.0.0.1])
        by aserp2130.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 112BNYPR162661;
        Tue, 2 Feb 2021 11:32:19 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=date : from : to : cc
 : subject : message-id : mime-version : content-type; s=corp-2020-01-29;
 bh=D3tgOWXZwM2v+gsQnYFE/CSbnZRad1II9wbsUKgMXJQ=;
 b=h69AzxXFpXgJK5w+uNRi+8VsiUNhL65LwSpjLvf8zQ74V/3BjZGsH36+9zUOPTrhtcOP
 YZSaXbYdWA+xpTw5la5V85kqQgEt0+H/bzFFLlvOGlpHMFmxF6s2rsisDGZoIgcnMCd1
 IPHQfBzpPH8jYZs0E2Nc8zkm2kCb0gnU8w13TrfJzmmkrKOWVtJs5gLXtAiwsPp6f9uz
 VNyAEsTxMYQg5t5fA57NqjAbN5mqwnRdp/M0BRxF5AzqA2SQpHAjQEn9BL78hYILiNSj
 xa57ZjUZBaxZD6u6NJyCE927P/hhqNpiX6pFrro8d850IZFz+lyLXPDQeo6Z1FXke0SP fw== 
Received: from aserp3030.oracle.com (aserp3030.oracle.com [141.146.126.71])
        by aserp2130.oracle.com with ESMTP id 36cvyatg25-1
        (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
        Tue, 02 Feb 2021 11:32:19 +0000
Received: from pps.filterd (aserp3030.oracle.com [127.0.0.1])
        by aserp3030.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 112BVUFi014496;
        Tue, 2 Feb 2021 11:32:17 GMT
Received: from pps.reinject (localhost [127.0.0.1])
        by aserp3030.oracle.com with ESMTP id 36dh1nv8j4-1
        (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
        Tue, 02 Feb 2021 11:32:17 +0000
Received: from aserp3030.oracle.com (aserp3030.oracle.com [127.0.0.1])
        by pps.reinject (8.16.0.36/8.16.0.36) with SMTP id 112BWGKR017014;
        Tue, 2 Feb 2021 11:32:16 GMT
Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236])
        by aserp3030.oracle.com with ESMTP id 36dh1nv8h9-1
        (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
        Tue, 02 Feb 2021 11:32:16 +0000
Received: from abhmp0011.oracle.com (abhmp0011.oracle.com [141.146.116.17])
        by aserv0122.oracle.com (8.14.4/8.14.4) with ESMTP id 112BWC7j023955;
        Tue, 2 Feb 2021 11:32:12 GMT
Received: from mwanda (/102.36.221.92)
        by default (Oracle Beehive Gateway v4.0)
        with ESMTP ; Tue, 02 Feb 2021 03:32:12 -0800
Date:   Tue, 2 Feb 2021 14:32:03 +0300
From:   Dan Carpenter <dan.carpenter@oracle.com>
To:     Mark Fasheh <mark@fasheh.com>
Cc:     Joel Becker <jlbec@evilplan.org>,
        Joseph Qi <joseph.qi@linux.alibaba.com>,
        Andrew Morton <akpm@linux-foundation.org>,
        Takashi Iwai <tiwai@suse.de>, Jens Axboe <axboe@kernel.dk>,
        Alex Shi <alex.shi@linux.alibaba.com>,
        Jiri Slaby <jirislaby@kernel.org>, ocfs2-devel@oss.oracle.com,
        linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: [PATCH v2] ocfs2: Fix a use after free on error
Message-ID: <YBk4M6HUG8jB/jc7@mwanda>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Mailer: git-send-email haha only kidding
X-Proofpoint-IMR: 1
X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=9882 signatures=668683
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 clxscore=1015 impostorscore=0
 mlxscore=0 spamscore=0 bulkscore=0 priorityscore=1501 adultscore=0
 lowpriorityscore=0 malwarescore=0 phishscore=0 mlxlogscore=999
 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1
 engine=8.12.0-2009150000 definitions=main-2102020079
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

The error handling in this function frees "reg" but it is still on the
"o2hb_all_regions" list so it will lead to a use after freew.  Joseph Qi
points out that we need to clear the bit in the "o2hb_region_bitmap" as
well

Fixes: 1cf257f51191 ("ocfs2: fix memory leak")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
v2: The first version didn't clear the bit.

 fs/ocfs2/cluster/heartbeat.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/fs/ocfs2/cluster/heartbeat.c b/fs/ocfs2/cluster/heartbeat.c
index 0179a73a3fa2..12a7590601dd 100644
--- a/fs/ocfs2/cluster/heartbeat.c
+++ b/fs/ocfs2/cluster/heartbeat.c
@@ -2042,7 +2042,7 @@ static struct config_item *o2hb_heartbeat_group_make_item(struct config_group *g
 			o2hb_nego_timeout_handler,
 			reg, NULL, &reg->hr_handler_list);
 	if (ret)
-		goto free;
+		goto remove_item;
 
 	ret = o2net_register_handler(O2HB_NEGO_APPROVE_MSG, reg->hr_key,
 			sizeof(struct o2hb_nego_msg),
@@ -2057,6 +2057,12 @@ static struct config_item *o2hb_heartbeat_group_make_item(struct config_group *g
 
 unregister_handler:
 	o2net_unregister_handler_list(&reg->hr_handler_list);
+remove_item:
+	spin_lock(&o2hb_live_lock);
+	list_del(&reg->hr_all_item);
+	if (o2hb_global_heartbeat_active())
+		clear_bit(reg->hr_region_num, o2hb_region_bitmap);
+	spin_unlock(&o2hb_live_lock);
 free:
 	kfree(reg);
 	return ERR_PTR(ret);
-- 
2.30.0