| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <tencent_20ED8A5A99ECCFE616B18F17D8056B5AF707@qq.com>
Date: Sun, 13 Apr 2025 14:16:39 +0800
From: cxxz16 <990492108@...com>
To: sgoutham@...vell.com,
gakula@...vell.com,
sbhatta@...vell.com,
hkelam@...vell.com,
bbhushan2@...vell.com,
netdev@...r.kernel.org
Cc: davem@...emloft.net,
edumazet@...gle.com,
kuba@...nel.org,
pabeni@...hat.com,
andrew+netdev@...n.ch,
linux-kernel@...r.kernel.org,
cxxz16 <990492108@...com>
Subject: [Patch next] octeontx2-pf: fix potential double free in rvu_rep_create()
In rvu_rep_create(), the netdev is allocated via alloc_etherdev()
and assigned to rep->netdev. This rep structure is then stored
in the priv->reps array indexed by rep_id.
If either rvu_rep_devlink_port_register() or register_netdev() fails,
the function frees ndev using free_netdev(ndev) before jumping to
the 'exit:' label. However, in the 'exit:' section, the function
iterates over priv->reps[] and again frees rep->netdev, which points
to the same ndev.
This results in a potential double free of the same netdev pointer,
which can cause memory corruption or crashes.
To fix this, avoid calling free_netdev(ndev) before jumping to 'exit:'.
The cleanup logic at 'exit:' should handle the freeing safely.
Signed-off-by: cxxz16 <990492108@...com>
---
drivers/net/ethernet/marvell/octeontx2/nic/rep.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/rep.c b/drivers/net/ethernet/marvell/octeontx2/nic/rep.c
index 04e08e06f30f..de9a50f2fc39 100644
--- a/drivers/net/ethernet/marvell/octeontx2/nic/rep.c
+++ b/drivers/net/ethernet/marvell/octeontx2/nic/rep.c
@@ -681,7 +681,6 @@ int rvu_rep_create(struct otx2_nic *priv, struct netlink_ext_ack *extack)
eth_hw_addr_random(ndev);
err = rvu_rep_devlink_port_register(rep);
if (err) {
- free_netdev(ndev);
goto exit;
}
@@ -691,7 +690,6 @@ int rvu_rep_create(struct otx2_nic *priv, struct netlink_ext_ack *extack)
NL_SET_ERR_MSG_MOD(extack,
"PFVF representor registration failed");
rvu_rep_devlink_port_unregister(rep);
- free_netdev(ndev);
goto exit;
}
--
2.34.1
Powered by blists - more mailing lists