Re: [PATCH 4.19 185/306] net: hns3: bugfix for buffer not free problem during resetting

Hi!

From: Huazhong Tan tanhuazhong@huawei.com

[ Upstream commit 73b907a083b8a8c1c62cb494bc9fbe6ae086c460 ]

When hns3_get_ring_config()/hns3_queue_to_ring()/ hns3_get_vector_ring_chain() failed during resetting, the allocated memory has not been freed before these three functions return. So this patch adds error handler in these functions to fix it.

Correct me if I'm wrong, but... this introduces use-after-free:

@@ -2592,6 +2592,16 @@ static int hns3_get_vector_ring_chain(struct hns3_enet_tqp_vector *tqp_vector, } return 0;

+err_free_chain:

• cur_chain = head->next;
• while (cur_chain) {

• chain = cur_chain->next;
  

• devm_kfree(&pdev->dev, chain);
  

• cur_chain = chain;
  

• }

Lets take two iterations:

• chain = cur_chain->next;
  

• devm_kfree(&pdev->dev, chain);
  

chain freed here.

• cur_chain = chain;
  

• chain = cur_chain->next;
  

chain->next accessed here, after free.

• devm_kfree(&pdev->dev, chain);
  

• cur_chain = chain;
  

Should it do devm_kfree(&pdev->dev, cur_chain); ?

Best regards, Pavel