On Fri, Nov 29, 2019 at 11:24:01PM +0100, Pavel Machek wrote:
Hi!
From: Huazhong Tan tanhuazhong@huawei.com
[ Upstream commit 73b907a083b8a8c1c62cb494bc9fbe6ae086c460 ]
When hns3_get_ring_config()/hns3_queue_to_ring()/ hns3_get_vector_ring_chain() failed during resetting, the allocated memory has not been freed before these three functions return. So this patch adds error handler in these functions to fix it.
Correct me if I'm wrong, but... this introduces use-after-free: Should it do devm_kfree(&pdev->dev, cur_chain); ?
I think Sasha tried to backport a fix for this patch, but that fix broke the build :(
If you want to provide a working backport, I'll be glad to take it.
Actually it looks like problem originated in mainline, and there was more than one problem with this patch.
cda69d244585bc4497d3bb878c22fe2b6ad647c1 should fix it; it needs to be back-ported, too.
Yes, that is the one, can you provide a working backport for this?
thanks,
greg k-h