Re: Re: [PATCH] net/rds: Fix a use after free in rds_message_map_pages

From: lyl2019
Date: Tue Mar 30 2021 - 22:03:42 EST

Next message: Alex Deucher: "Re: [PATCH 0/2] ensure alignment on CPU page for bo mapping"
Previous message: Pratyush Yadav: "Build breakage in next-20210330 due to optee_trace.h"
In reply to: David Miller: "Re: [PATCH] net/rds: Fix a use after free in rds_message_map_pages"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> -----原始邮件-----
> 发件人: "David Miller" <davem@xxxxxxxxxxxxx>
> 发送时间: 2021-03-31 08:02:28 (星期三)
> 收件人: lyl2019@xxxxxxxxxxxxxxxx
> 抄送: santosh.shilimkar@xxxxxxxxxx, kuba@xxxxxxxxxx, netdev@xxxxxxxxxxxxxxx, linux-rdma@xxxxxxxxxxxxxxx, rds-devel@xxxxxxxxxxxxxx, linux-kernel@xxxxxxxxxxxxxxx
> 主题: Re: [PATCH] net/rds: Fix a use after free in rds_message_map_pages
>
> From: Lv Yunlong <lyl2019@xxxxxxxxxxxxxxxx>
> Date: Tue, 30 Mar 2021 03:16:02 -0700
>
> > @@ -348,7 +348,7 @@ struct rds_message *rds_message_map_pages(unsigned long *page_addrs, unsigned in
> > rm->data.op_sg = rds_message_alloc_sgs(rm, num_sgs);
> > if (IS_ERR(rm->data.op_sg)) {
> > rds_message_put(rm);
> > - return ERR_CAST(rm->data.op_sg);
> > + return ERR_PTR(-ENOMEM);
> > }
> >
> > for (i = 0; i < rm->data.op_nents; ++i) {
>
> Maybe instead do:
>
> int err = ERR_CAST(rm->data.op_sg);
> rds_message_put(rm);
> return err;
>
> Then if rds_message_alloc_sgs() starts to return other errors, they will propagate.
>
> Thank you.

The type of ERR_CAST() is void *, not int.
I think the correct patch is:

void *err = ERR_CAST(rm->data.op_sg);
rds_message_put(rm);
return err;

I have submitted the PATCH v2 for you to review.

Thanks.

Next message: Alex Deucher: "Re: [PATCH 0/2] ensure alignment on CPU page for bo mapping"
Previous message: Pratyush Yadav: "Build breakage in next-20210330 due to optee_trace.h"
In reply to: David Miller: "Re: [PATCH] net/rds: Fix a use after free in rds_message_map_pages"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]