[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <7f6e6e60.21d45.18c41ff00b8.Coremail.dinghao.liu@zju.edu.cn>
Date: Thu, 7 Dec 2023 09:58:00 +0800 (GMT+08:00)
From: dinghao.liu@....edu.cn
To: "Suman Ghosh" <sumang@...vell.com>
Cc: "Ariel Elior" <aelior@...vell.com>,
"Manish Chopra" <manishc@...vell.com>,
"David S. Miller" <davem@...emloft.net>,
"Eric Dumazet" <edumazet@...gle.com>,
"Jakub Kicinski" <kuba@...nel.org>,
"Paolo Abeni" <pabeni@...hat.com>,
"Yuval Mintz" <Yuval.Mintz@...gic.com>,
"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: RE: [EXT] [PATCH] qed: Fix a potential double-free in
qed_cxt_tables_alloc
Hi Suman,
> >qed_ilt_shadow_alloc() will call qed_ilt_shadow_free() to free p_hwfn-
> >>p_cxt_mngr->ilt_shadow on error. However,
> >qed_cxt_tables_alloc() frees this pointer again on failure of
> >qed_ilt_shadow_alloc() through calling qed_cxt_mngr_free(), which may
> >lead to double-free. Fix this issue by setting p_hwfn->p_cxt_mngr-
> >>ilt_shadow to NULL in qed_ilt_shadow_free().
> >
> >Fixes: fe56b9e6a8d9 ("qed: Add module with basic common support")
> >Signed-off-by: Dinghao Liu <dinghao.liu@....edu.cn>
> >---
> > drivers/net/ethernet/qlogic/qed/qed_cxt.c | 1 +
> > 1 file changed, 1 insertion(+)
> >
> >diff --git a/drivers/net/ethernet/qlogic/qed/qed_cxt.c
> >b/drivers/net/ethernet/qlogic/qed/qed_cxt.c
> >index 65e20693c549..26e247517394 100644
> >--- a/drivers/net/ethernet/qlogic/qed/qed_cxt.c
> >+++ b/drivers/net/ethernet/qlogic/qed/qed_cxt.c
> >@@ -933,6 +933,7 @@ static void qed_ilt_shadow_free(struct qed_hwfn
> >*p_hwfn)
> > p_dma->virt_addr = NULL;
> > }
> > kfree(p_mngr->ilt_shadow);
> >+ p_hwfn->p_cxt_mngr->ilt_shadow = NULL;
> [Suman] Hi Dinghao,
>
> I am not sure how this will help prevent the double free here? If qed_ilt_shadow_alloc() fails to allocate memory, then still qed_cxt_mngr_free() will be called and kfree()
> will try to free the NULL pointer. Shouldn't it be like below?
>
> if (p_mngr->ilt_shadow)
> Kfree(p_mngr->ilt_shadow);
> > }
> >
> > static int qed_ilt_blk_alloc(struct qed_hwfn *p_hwfn,
> >--
> >2.17.1
> >
kfree(NULL) is safe in kernel. But kfree() will not set the freed
pointer to NULL. Therefore, checking p_mngr->ilt_shadow will
not prevent the kfree() for the second time. Many double-free
bugs are fixed by setting the freed pointer to NULL (e.g.,
6b0d0477fce7 ("media: dvb-core: Fix double free in
dvb_register_device()")), so I just fix this bug in the same
way.
Regards,
Dinghao
Powered by blists - more mailing lists