[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID:
<BY3PR18MB47074E845C5C5CD540C8552DA0D42@BY3PR18MB4707.namprd18.prod.outlook.com>
Date: Mon, 24 Jun 2024 08:38:15 +0000
From: Sai Krishna Gajula <saikrishnag@...vell.com>
To: Ma Ke <make24@...as.ac.cn>, "kys@...rosoft.com" <kys@...rosoft.com>,
"haiyangz@...rosoft.com" <haiyangz@...rosoft.com>,
"wei.liu@...nel.org"
<wei.liu@...nel.org>,
"decui@...rosoft.com" <decui@...rosoft.com>,
"davem@...emloft.net" <davem@...emloft.net>,
"edumazet@...gle.com"
<edumazet@...gle.com>,
"kuba@...nel.org" <kuba@...nel.org>,
"pabeni@...hat.com" <pabeni@...hat.com>,
"shradhagupta@...ux.microsoft.com"
<shradhagupta@...ux.microsoft.com>,
"horms@...nel.org" <horms@...nel.org>,
"kotaranov@...rosoft.com" <kotaranov@...rosoft.com>,
"linyunsheng@...wei.com"
<linyunsheng@...wei.com>,
"schakrabarti@...ux.microsoft.com"
<schakrabarti@...ux.microsoft.com>,
"erick.archer@...look.com"
<erick.archer@...look.com>
CC: "linux-hyperv@...r.kernel.org" <linux-hyperv@...r.kernel.org>,
"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: RE: [PATCH] net: mana: Fix possible double free in error handling
path
> -----Original Message-----
> From: Ma Ke <make24@...as.ac.cn>
> Sent: Monday, June 24, 2024 8:51 AM
> To: kys@...rosoft.com; haiyangz@...rosoft.com; wei.liu@...nel.org;
> decui@...rosoft.com; davem@...emloft.net; edumazet@...gle.com;
> kuba@...nel.org; pabeni@...hat.com; shradhagupta@...ux.microsoft.com;
> horms@...nel.org; kotaranov@...rosoft.com; linyunsheng@...wei.com;
> schakrabarti@...ux.microsoft.com; make24@...as.ac.cn;
> erick.archer@...look.com
> Cc: linux-hyperv@...r.kernel.org; netdev@...r.kernel.org; linux-
> kernel@...r.kernel.org
> Subject: [PATCH] net: mana: Fix possible double free in error
> handling path
>
> When auxiliary_device_add() returns error and then calls
> auxiliary_device_uninit(), callback function adev_release calls kfree(madev)
> to free memory. We shouldn't call kfree(padev) again in the error handling
> path. Signed-off-by: Ma Ke <make24@ iscas. ac. cn>
> When auxiliary_device_add() returns error and then calls
> auxiliary_device_uninit(), callback function adev_release calls kfree(madev)
> to free memory. We shouldn't call kfree(padev) again in the error handling
> path.
>
> Signed-off-by: Ma Ke <make24@...as.ac.cn>
> ---
> drivers/net/ethernet/microsoft/mana/mana_en.c | 31 +++++++++----------
> 1 file changed, 14 insertions(+), 17 deletions(-)
>
> diff --git a/drivers/net/ethernet/microsoft/mana/mana_en.c
> b/drivers/net/ethernet/microsoft/mana/mana_en.c
> index d087cf954f75..1754c92a6c15 100644
> --- a/drivers/net/ethernet/microsoft/mana/mana_en.c
> +++ b/drivers/net/ethernet/microsoft/mana/mana_en.c
> @@ -2785,8 +2785,10 @@ static int add_adev(struct gdma_dev *gd)
>
> adev = &madev->adev;
> ret = mana_adev_idx_alloc();
> - if (ret < 0)
> - goto idx_fail;
> + if (ret < 0) {
> + kfree(madev);
> + return ret;
> + }
> adev->id = ret;
>
> adev->name = "rdma";
> @@ -2795,26 +2797,21 @@ static int add_adev(struct gdma_dev *gd)
> madev->mdev = gd;
>
> ret = auxiliary_device_init(adev);
> - if (ret)
> - goto init_fail;
> + if (ret) {
> + mana_adev_idx_free(adev->id);
> + kfree(madev);
> + return ret;
> + }
>
> ret = auxiliary_device_add(adev);
> - if (ret)
> - goto add_fail;
> + if (ret) {
> + auxiliary_device_uninit(adev);
> + mana_adev_idx_free(adev->id);
> + return ret;
> + }
>
> gd->adev = adev;
> return 0;
> -
> -add_fail:
> - auxiliary_device_uninit(adev);
> -
> -init_fail:
> - mana_adev_idx_free(adev->id);
> -
> -idx_fail:
> - kfree(madev);
I think you can just avoid using add_fail and keep/retain rest of init_fail, idx_fail conditions in old way right?
> -
> - return ret;
> }
>
> int mana_probe(struct gdma_dev *gd, bool resuming)
> --
> 2.25.1
>
Powered by blists - more mailing lists