Received: by 2002:a05:7412:8d10:b0:f3:1519:9f41 with SMTP id bj16csp2675106rdb; Fri, 8 Dec 2023 16:00:57 -0800 (PST) X-Google-Smtp-Source: AGHT+IHJhUB5R38pCTpqAIy18c3R7BK3XyOdS4nDKQX1ISBBzCdV7Mf/CQ/slXRqiVYyO4UeqOq4 X-Received: by 2002:a05:6e02:2185:b0:35e:6b28:943b with SMTP id j5-20020a056e02218500b0035e6b28943bmr1180264ila.25.1702080057447; Fri, 08 Dec 2023 16:00:57 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1702080057; cv=none; d=google.com; s=arc-20160816; b=ovxa29+hEkUjeHmX1vMvCMy553IZqb4AccuroWQacLZ8igotSpuZBP/C0h/j0jvYen wxgAm1cNOCFLT59dtjhR7vWEASKieVQfV/+taPX1Fqr6tI8HYxwInCEhvgK9246BpWwJ yv7nEN9GgRcqiHUKOhCQDSRLCynvCTWnqo/8qwCy8e6ednTMWn/yLgiMaAtYmyd/X4E8 5TQIRZkh8g/zpSxMpkoj3YzGvngdYKujCE2oNfkzeYcNXZ0QKj7wqE6qSts/7zacDObL 89MktN2XPeWQI1qGHesmtW9n9F8fYLJ2jmt14761NobzqOJhGoHT/Ki+zAjq+V0ZMcGJ N2YQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:subject:cc:to:from:date :dkim-signature; bh=y9qLwHcvVzRyz34NdZT5yvcGntPMoePEi0dJWwNPuzQ=; fh=VxrDL4ic+HZHMSZeDqa74srnI+EP2v2FY+jBOi2REWI=; b=VvKuQTn7XOmsmdJdjSVZ/+qtkncTC2yAOwuOsoWMYDm0KF2UUvCDDsZJ1GDFPH93ii voK3AJKqOzYDiLp7eVaUhbsMms9lBvxFrKXB7NVPxNqMYZSSrJiwJMoScdeznolJCD8N 7wcw8cr+e92LxYlX8G7xfSSEq4IlnLmFq8pAmLh0pCcfr4X6FgRbAEOX55F5lxQE3aUR rWqz1auwxb4k6BDiJseNU6Ni/fTBrjR/4Le4lrcE2odafAbOVhzHWTJ5TntigBNipeWv rh00CUItqkKzUavlp0FGQi9t70B+59AHHWvzh4FzMR/fqOoY2uWVmrCzrScD0srnlIvo zHnQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=KK36Iq+a; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:4 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from howler.vger.email (howler.vger.email. [2620:137:e000::3:4]) by mx.google.com with ESMTPS id n9-20020a170903110900b001d09c54485esi2270224plh.568.2023.12.08.16.00.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 08 Dec 2023 16:00:57 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:4 as permitted sender) client-ip=2620:137:e000::3:4; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=KK36Iq+a; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:4 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by howler.vger.email (Postfix) with ESMTP id A1A778078628; Fri, 8 Dec 2023 16:00:08 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at howler.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229986AbjLHX7x (ORCPT + 99 others); Fri, 8 Dec 2023 18:59:53 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49978 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229525AbjLHX7w (ORCPT ); Fri, 8 Dec 2023 18:59:52 -0500 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EA5BA171F for ; Fri, 8 Dec 2023 15:59:58 -0800 (PST) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4BE0EC433C8; Fri, 8 Dec 2023 23:59:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1702079998; bh=UPg58Wz4ucBYZ9XevepIP3YycirRFgd2o4l6zt7Cie4=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=KK36Iq+aUSmr22DZbRxU01OqgemLY363GzmXTA1sCeNK846Ngp12J9t7PPwH4d+EA Ayyty3Q+dCNrPFP9uzTTBMFHGVPslApVSlZ3xcGbzDXjtRkrjFoV0FPPQPa6az348T a34naOwCGERAoBfyD7RPDtQb7iarcXQhYN0Mzck85XB6I4HQNzZW8XDuWI8xYJSWFx XiDzaPGlQFX+/HkDKYuJ9+BvmfksLw1y+CA4NqNXP1ABhGfmHvDYfyO9yDQTWhFFvU SH3ZkKGvxF1MGTKcz6D4aecCRhoCKfWD7aHjl/5x/inFrrdmzUtKpsAqi54bs6ccrb zuaRssr5F4Mtw== Date: Fri, 8 Dec 2023 15:59:57 -0800 From: Jakub Kicinski To: Dinghao Liu Cc: Ariel Elior , Manish Chopra , "David S. Miller" , Eric Dumazet , Paolo Abeni , Yuval Mintz , netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] [v2] qed: Fix a potential use-after-free in qed_cxt_tables_alloc Message-ID: <20231208155957.088c372b@kernel.org> In-Reply-To: <20231207093606.17868-1-dinghao.liu@zju.edu.cn> References: <20231207093606.17868-1-dinghao.liu@zju.edu.cn> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-1.2 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on howler.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (howler.vger.email [0.0.0.0]); Fri, 08 Dec 2023 16:00:08 -0800 (PST) On Thu, 7 Dec 2023 17:36:06 +0800 Dinghao Liu wrote: > v2: -Change the bug type from double-free to use-after-free. > -Move the null check against p_mngr->ilt_shadow to the beginning > of the function qed_ilt_shadow_free(). > -When kcalloc() fails in qed_ilt_shadow_alloc(), just return > because there is nothing to free. This refactoring is not acceptable as part of a fix, sorry. > @@ -933,6 +936,7 @@ static void qed_ilt_shadow_free(struct qed_hwfn *p_hwfn) > p_dma->virt_addr = NULL; > } > kfree(p_mngr->ilt_shadow); > + p_hwfn->p_cxt_mngr->ilt_shadow = NULL; Why do you dereference p_hwfn here? Seems more natural to use: p_mngr->ilt_shadow = NULL; since that's the exact pointer that was passed to free. -- pw-bot: cr