Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp1078826pxf; Fri, 2 Apr 2021 00:10:33 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzEoyGkeOPhJcPlJ6yxRiKQ0HaxpzoK210cjHgwJHjS8Ade8KRGMqsLNYMFuOUH9eg8Yp62 X-Received: by 2002:aa7:c550:: with SMTP id s16mr14129198edr.98.1617347433764; Fri, 02 Apr 2021 00:10:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1617347433; cv=none; d=google.com; s=arc-20160816; b=iWzSyIyPWj5FA5XXXgmpEgXFuFvVPTjHQ7HeOz9W6rztXVBz3jQ1uITUrHHT8r3Hmh xMlBzRFf253nmzMgaKPMtpEv5mhVnXPonfNiN2+Ykyi58nwnQG0T7WWJOrOaoNpuFa93 86qNlysYiiUg6JacTzOAL5TIaqDZx/NI/RuTLfFzZ7JZIED9vULxoBvJcRDj/qTm4P8l P8TuEmsQznbinTZZtOQ+i28wmwLshG6NCnrN6Z1Nuvg1HlRfYjATUpOt+SNIj3oJx7F4 qEid/7nPOHT4TmwmWXKrKrNDgi7cGFoWmfaDthn5Qt5DPvSzOOES3G9xa+rlqg79K/w8 GVWA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=ihhkC3A/F/n4R822QWItgpMZvdBrG7arMx9rRqjzjOs=; b=qKq3UTsXVX/ymaTx9zN8Q6eu6Mhe40/RR7CN0ykm6Oxx/PlWS/H/w5SijhY1Q7oOdx 3nPfMyyE4uUqGedcixpRTLEHF4SHT58SBT2i0n2r0IrhHqUicabfZDJ7ZK6sSsIYmOS/ MV7kLWxRkpgc75AVa3sQ4y0eI0RE9BLKZnzVCC8Gd9hwRqDD5jUN5Vzu6m+K8sKyS8sR kz8+Q1hb/i+L3PaTUx+ZowAmYaoUQJ8tI95PbtP09mLiTB7/FGKN/DNyD8vO2p7IfOqH +jX3ifQBFxDhRAtsqexwP1IVhMagaHR6oT5XbYDccTNJtfC7weVWyUZl8qNN69Vn2ak4 xueQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@mail.ustc.edu.cn header.s=dkim header.b=n+AzCCE6; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=mail.ustc.edu.cn Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id b14si6067645eds.379.2021.04.02.00.10.09; Fri, 02 Apr 2021 00:10:33 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@mail.ustc.edu.cn header.s=dkim header.b=n+AzCCE6; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=mail.ustc.edu.cn Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234104AbhDBHHd (ORCPT + 99 others); Fri, 2 Apr 2021 03:07:33 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35038 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229594AbhDBHH2 (ORCPT ); Fri, 2 Apr 2021 03:07:28 -0400 Received: from ustc.edu.cn (email6.ustc.edu.cn [IPv6:2001:da8:d800::8]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 475E2C0613E6; Fri, 2 Apr 2021 00:07:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mail.ustc.edu.cn; s=dkim; h=Received:From:To:Cc:Subject:Date: Message-Id:MIME-Version:Content-Transfer-Encoding; bh=ihhkC3A/F/ n4R822QWItgpMZvdBrG7arMx9rRqjzjOs=; b=n+AzCCE6kLnYjWwY+MgmuGFO8U DXUJnP2P0HBr7cJKU0HqSF6Wbo8W9YaAec90EJZQvF2J59JRCMpYznS/whByDPZU uOxnMgrEcbVvhS9uHUibOWt2SmPrILlbA/QD25ws09WzAKKOf7q/sk9V3XR3t8q/ F1i62T2tBqW8FRe+Y= Received: from ubuntu.localdomain (unknown [202.38.69.14]) by newmailweb.ustc.edu.cn (Coremail) with SMTP id LkAmygDn7aWkwmZgSQyIAA--.4212S4; Fri, 02 Apr 2021 15:07:16 +0800 (CST) From: Lv Yunlong To: philipp.reisner@linbit.com, lars.ellenberg@linbit.com, axboe@kernel.dk Cc: drbd-dev@lists.linbit.com, linux-block@vger.kernel.org, linux-kernel@vger.kernel.org, Lv Yunlong Subject: [PATCH v2] drbd: Fix a use after free in get_initial_state Date: Fri, 2 Apr 2021 00:07:13 -0700 Message-Id: <20210402070713.4069-1-lyl2019@mail.ustc.edu.cn> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-CM-TRANSID: LkAmygDn7aWkwmZgSQyIAA--.4212S4 X-Coremail-Antispam: 1UD129KBjvJXoW7tryftFyfZF1fuF47XrW5Wrg_yoW8KF13pa yUW3sakF4DKa1kuFy7Cw18ZF9093ykGr98KrWUX347JFsxArsYqa4DKa45AF4rGrZ7GFW5 J3W2vFn5Ca92y3DanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUvl14x267AKxVW8JVW5JwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0 rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2AK02 1l84ACjcxK6xIIjxv20xvE14v26w1j6s0DM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26r4U JVWxJr1l84ACjcxK6I8E87Iv67AKxVW0oVCq3wA2z4x0Y4vEx4A2jsIEc7CjxVAFwI0_Gc CE3s1lnxkEFVAIw20F6cxK64vIFxWle2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG64xv F2IEw4CE5I8CrVC2j2WlYx0E2Ix0cI8IcVAFwI0_Jr0_Jr4lYx0Ex4A2jsIE14v26r1j6r 4UMcvjeVCFs4IE7xkEbVWUJVW8JwACjcxG0xvY0x0EwIxGrwACjI8F5VA0II8E6IAqYI8I 648v4I1lc2xSY4AK67AK6r4xMxAIw28IcxkI7VAKI48JMxC20s026xCaFVCjc4AY6r1j6r 4UMI8I3I0E5I8CrVAFwI0_Jr0_Jr4lx2IqxVCjr7xvwVAFwI0_JrI_JrWlx4CE17CEb7AF 67AKxVWUAVWUtwCIc40Y0x0EwIxGrwCI42IY6xIIjxv20xvE14v26r1j6r1xMIIF0xvE2I x0cI8IcVCY1x0267AKxVWUJVW8JwCI42IY6xAIw20EY4v20xvaj40_WFyUJVCq3wCI42IY 6I8E87Iv67AKxVWUJVW8JwCI42IY6I8E87Iv6xkF7I0E14v26r1j6r4UYxBIdaVFxhVjvj DU0xZFpf9x0JUvNtcUUUUU= X-CM-SenderInfo: ho1ojiyrz6zt1loo32lwfovvfxof0/ Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In get_initial_state, it calls notify_initial_state_done(skb,..) if cb->args[5]==1. I see that if genlmsg_put() failed in notify_initial_state_done(), the skb will be freed by nlmsg_free(skb). Then get_initial_state will goto out and the freed skb will be used by return value skb->len. My patch converts the type of notify_initial_state_done() from void to int. So when errors occurs in notify_initial_state_done(), it can return an error code. My patch also use err propagate the error and avoid use the freed skb. Fixes: a29728463b254 ("drbd: Backport the "events2" command") Signed-off-by: Lv Yunlong --- drivers/block/drbd/drbd_nl.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/drivers/block/drbd/drbd_nl.c b/drivers/block/drbd/drbd_nl.c index bf7de4c7b96c..21035ff460da 100644 --- a/drivers/block/drbd/drbd_nl.c +++ b/drivers/block/drbd/drbd_nl.c @@ -4861,7 +4861,7 @@ void notify_helper(enum drbd_notification_type type, err, seq); } -static void notify_initial_state_done(struct sk_buff *skb, unsigned int seq) +static int notify_initial_state_done(struct sk_buff *skb, unsigned int seq) { struct drbd_genlmsghdr *dh; int err; @@ -4875,11 +4875,12 @@ static void notify_initial_state_done(struct sk_buff *skb, unsigned int seq) if (nla_put_notification_header(skb, NOTIFY_EXISTS)) goto nla_put_failure; genlmsg_end(skb, dh); - return; + return 0; nla_put_failure: nlmsg_free(skb); pr_err("Error %d sending event. Event seq:%u\n", err, seq); + return err; } static void free_state_changes(struct list_head *list) @@ -4905,6 +4906,7 @@ static int get_initial_state(struct sk_buff *skb, struct netlink_callback *cb) struct drbd_state_change *state_change = (struct drbd_state_change *)cb->args[0]; unsigned int seq = cb->args[2]; unsigned int n; + int err; enum drbd_notification_type flags = 0; /* There is no need for taking notification_mutex here: it doesn't @@ -4914,7 +4916,9 @@ static int get_initial_state(struct sk_buff *skb, struct netlink_callback *cb) cb->args[5]--; if (cb->args[5] == 1) { - notify_initial_state_done(skb, seq); + err = notify_initial_state_done(skb, seq); + if (err) + return err; goto out; } n = cb->args[4]++; -- 2.25.1