Re: [PATCH] [v2] qed: Fix a potential use-after-free in qed_cxt_tables_alloc

From: dinghao . liu
Date: Sat Dec 09 2023 - 07:44:13 EST

Next message: kernel test robot: "Re: [net-next PATCH 2/2] net: phy: at803x: add LED support for qca808x"
Previous message: Huacai Chen: "Re: [PATCH v1 2/2] LoongArch: BPF: Fix unconditional bswap instructions"
In reply to: Jakub Kicinski: "Re: [PATCH] [v2] qed: Fix a potential use-after-free in qed_cxt_tables_alloc"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> On Thu, 7 Dec 2023 17:36:06 +0800 Dinghao Liu wrote:
> > v2: -Change the bug type from double-free to use-after-free.
> > -Move the null check against p_mngr->ilt_shadow to the beginning
> > of the function qed_ilt_shadow_free().
> > -When kcalloc() fails in qed_ilt_shadow_alloc(), just return
> > because there is nothing to free.
>
> This refactoring is not acceptable as part of a fix, sorry.
>
> > @@ -933,6 +936,7 @@ static void qed_ilt_shadow_free(struct qed_hwfn *p_hwfn)
> > p_dma->virt_addr = NULL;
> > }
> > kfree(p_mngr->ilt_shadow);
> > + p_hwfn->p_cxt_mngr->ilt_shadow = NULL;
>
> Why do you dereference p_hwfn here?
> Seems more natural to use:
>
> p_mngr->ilt_shadow = NULL;
>
> since that's the exact pointer that was passed to free.
> --
> pw-bot: cr

I will resend a new patch to fix this, thanks!

Regards,
Dinghao

Next message: kernel test robot: "Re: [net-next PATCH 2/2] net: phy: at803x: add LED support for qca808x"
Previous message: Huacai Chen: "Re: [PATCH v1 2/2] LoongArch: BPF: Fix unconditional bswap instructions"
In reply to: Jakub Kicinski: "Re: [PATCH] [v2] qed: Fix a potential use-after-free in qed_cxt_tables_alloc"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]