On Fri, Nov 29, 2019 at 12:00:10PM +0100, Pavel Machek wrote:
Hi!
From: Huazhong Tan tanhuazhong@huawei.com
[ Upstream commit 73b907a083b8a8c1c62cb494bc9fbe6ae086c460 ]
When hns3_get_ring_config()/hns3_queue_to_ring()/ hns3_get_vector_ring_chain() failed during resetting, the allocated memory has not been freed before these three functions return. So this patch adds error handler in these functions to fix it.
Correct me if I'm wrong, but... this introduces use-after-free:
@@ -2592,6 +2592,16 @@ static int hns3_get_vector_ring_chain(struct hns3_enet_tqp_vector *tqp_vector, } return 0;
+err_free_chain:
- cur_chain = head->next;
- while (cur_chain) {
chain = cur_chain->next;devm_kfree(&pdev->dev, chain);cur_chain = chain;- }
Lets take two iterations:
chain = cur_chain->next;devm_kfree(&pdev->dev, chain);chain freed here.
cur_chain = chain;
chain = cur_chain->next;chain->next accessed here, after free.
devm_kfree(&pdev->dev, chain);cur_chain = chain;Should it do devm_kfree(&pdev->dev, cur_chain); ?
I think Sasha tried to backport a fix for this patch, but that fix broke the build :(
If you want to provide a working backport, I'll be glad to take it.
thanks,
greg k-h