lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: 
 <BY3PR18MB47074E845C5C5CD540C8552DA0D42@BY3PR18MB4707.namprd18.prod.outlook.com>
Date: Mon, 24 Jun 2024 08:38:15 +0000
From: Sai Krishna Gajula <saikrishnag@...vell.com>
To: Ma Ke <make24@...as.ac.cn>, "kys@...rosoft.com" <kys@...rosoft.com>,
        "haiyangz@...rosoft.com" <haiyangz@...rosoft.com>,
        "wei.liu@...nel.org"
	<wei.liu@...nel.org>,
        "decui@...rosoft.com" <decui@...rosoft.com>,
        "davem@...emloft.net" <davem@...emloft.net>,
        "edumazet@...gle.com"
	<edumazet@...gle.com>,
        "kuba@...nel.org" <kuba@...nel.org>,
        "pabeni@...hat.com" <pabeni@...hat.com>,
        "shradhagupta@...ux.microsoft.com"
	<shradhagupta@...ux.microsoft.com>,
        "horms@...nel.org" <horms@...nel.org>,
        "kotaranov@...rosoft.com" <kotaranov@...rosoft.com>,
        "linyunsheng@...wei.com"
	<linyunsheng@...wei.com>,
        "schakrabarti@...ux.microsoft.com"
	<schakrabarti@...ux.microsoft.com>,
        "erick.archer@...look.com"
	<erick.archer@...look.com>
CC: "linux-hyperv@...r.kernel.org" <linux-hyperv@...r.kernel.org>,
        "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: RE: [PATCH] net: mana: Fix possible double free in error handling
 path


> -----Original Message-----
> From: Ma Ke <make24@...as.ac.cn>
> Sent: Monday, June 24, 2024 8:51 AM
> To: kys@...rosoft.com; haiyangz@...rosoft.com; wei.liu@...nel.org;
> decui@...rosoft.com; davem@...emloft.net; edumazet@...gle.com;
> kuba@...nel.org; pabeni@...hat.com; shradhagupta@...ux.microsoft.com;
> horms@...nel.org; kotaranov@...rosoft.com; linyunsheng@...wei.com;
> schakrabarti@...ux.microsoft.com; make24@...as.ac.cn;
> erick.archer@...look.com
> Cc: linux-hyperv@...r.kernel.org; netdev@...r.kernel.org; linux-
> kernel@...r.kernel.org
> Subject: [PATCH] net: mana: Fix possible double free in error
> handling path
> 
> When auxiliary_device_add() returns error and then calls
> auxiliary_device_uninit(), callback function adev_release calls kfree(madev)
> to free memory. We shouldn't call kfree(padev) again in the error handling
> path. Signed-off-by: Ma Ke <make24@ iscas. ac. cn>

> When auxiliary_device_add() returns error and then calls
> auxiliary_device_uninit(), callback function adev_release calls kfree(madev)
> to free memory. We shouldn't call kfree(padev) again in the error handling
> path.
> 
> Signed-off-by: Ma Ke <make24@...as.ac.cn>
> ---
>  drivers/net/ethernet/microsoft/mana/mana_en.c | 31 +++++++++----------
>  1 file changed, 14 insertions(+), 17 deletions(-)
> 
> diff --git a/drivers/net/ethernet/microsoft/mana/mana_en.c
> b/drivers/net/ethernet/microsoft/mana/mana_en.c
> index d087cf954f75..1754c92a6c15 100644
> --- a/drivers/net/ethernet/microsoft/mana/mana_en.c
> +++ b/drivers/net/ethernet/microsoft/mana/mana_en.c
> @@ -2785,8 +2785,10 @@ static int add_adev(struct gdma_dev *gd)
> 
>  	adev = &madev->adev;
>  	ret = mana_adev_idx_alloc();
> -	if (ret < 0)
> -		goto idx_fail;
> +	if (ret < 0) {
> +		kfree(madev);
> +		return ret;
> +	}
>  	adev->id = ret;
> 
>  	adev->name = "rdma";
> @@ -2795,26 +2797,21 @@ static int add_adev(struct gdma_dev *gd)
>  	madev->mdev = gd;
> 
>  	ret = auxiliary_device_init(adev);
> -	if (ret)
> -		goto init_fail;
> +	if (ret) {
> +		mana_adev_idx_free(adev->id);
> +		kfree(madev);
> +		return ret;
> +	}
> 
>  	ret = auxiliary_device_add(adev);
> -	if (ret)
> -		goto add_fail;
> +	if (ret) {
> +		auxiliary_device_uninit(adev);
> +		mana_adev_idx_free(adev->id);
> +		return ret;
> +	}
> 
>  	gd->adev = adev;
>  	return 0;
> -
> -add_fail:
> -	auxiliary_device_uninit(adev);
> -
> -init_fail:
> -	mana_adev_idx_free(adev->id);
> -
> -idx_fail:
> -	kfree(madev);
I think you can just avoid using add_fail and keep/retain rest of init_fail, idx_fail conditions in old way right?
> -
> -	return ret;
>  }
> 
>  int mana_probe(struct gdma_dev *gd, bool resuming)
> --
> 2.25.1
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ