[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20231208155957.088c372b@kernel.org>
Date: Fri, 8 Dec 2023 15:59:57 -0800
From: Jakub Kicinski <kuba@...nel.org>
To: Dinghao Liu <dinghao.liu@....edu.cn>
Cc: Ariel Elior <aelior@...vell.com>, Manish Chopra <manishc@...vell.com>,
"David S. Miller" <davem@...emloft.net>, Eric Dumazet
<edumazet@...gle.com>, Paolo Abeni <pabeni@...hat.com>, Yuval Mintz
<Yuval.Mintz@...gic.com>, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] [v2] qed: Fix a potential use-after-free in
qed_cxt_tables_alloc
On Thu, 7 Dec 2023 17:36:06 +0800 Dinghao Liu wrote:
> v2: -Change the bug type from double-free to use-after-free.
> -Move the null check against p_mngr->ilt_shadow to the beginning
> of the function qed_ilt_shadow_free().
> -When kcalloc() fails in qed_ilt_shadow_alloc(), just return
> because there is nothing to free.
This refactoring is not acceptable as part of a fix, sorry.
> @@ -933,6 +936,7 @@ static void qed_ilt_shadow_free(struct qed_hwfn *p_hwfn)
> p_dma->virt_addr = NULL;
> }
> kfree(p_mngr->ilt_shadow);
> + p_hwfn->p_cxt_mngr->ilt_shadow = NULL;
Why do you dereference p_hwfn here?
Seems more natural to use:
p_mngr->ilt_shadow = NULL;
since that's the exact pointer that was passed to free.
--
pw-bot: cr
Powered by blists - more mailing lists