Re: [PATCH net-next] net: ethtool: phy: Distinguish whether dev is got by phy start or doit

From: Dan Carpenter
Date: Mon Sep 16 2024 - 03:39:06 EST

Next message: Greg KH: "Re: [PATCH v2] Fix spelling errors in file drivers/usb/gadget/udc/m66592-udc.c"
Previous message: Dan Carpenter: "drivers/vdpa/octeon_ep/octep_vdpa_hw.c:143 octep_process_mbox() warn: missing error code? 'ret'"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Lizhi,

kernel test robot noticed the following build warnings:

url: https://github.com/intel-lab-lkp/linux/commits/Lizhi-Xu/net-ethtool-phy-Distinguish-whether-dev-is-got-by-phy-start-or-doit/20240913-160835
base: net-next/main
patch link: https://lore.kernel.org/r/20240913080714.1809254-1-lizhi.xu%40windriver.com
patch subject: [PATCH net-next] net: ethtool: phy: Distinguish whether dev is got by phy start or doit
config: x86_64-randconfig-r072-20240914 (https://download.01.org/0day-ci/archive/20240916/202409161017.tjjHpXGT-lkp@xxxxxxxxx/config)
compiler: clang version 18.1.8 (https://github.com/llvm/llvm-project 3b5b5c1ec4a3095ab096dd780e84d7ab81f3d7ff)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@xxxxxxxxx>
| Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
| Closes: https://lore.kernel.org/r/202409161017.tjjHpXGT-lkp@xxxxxxxxx/

smatch warnings:
net/ethtool/phy.c:235 ethnl_phy_start() error: dereferencing freed memory 'ctx->phy_req_info'

vim +235 net/ethtool/phy.c

17194be4c8e1e8 Maxime Chevallier 2024-08-21 212 int ethnl_phy_start(struct netlink_callback *cb)
17194be4c8e1e8 Maxime Chevallier 2024-08-21 213 {
17194be4c8e1e8 Maxime Chevallier 2024-08-21 214 const struct genl_info *info = genl_info_dump(cb);
17194be4c8e1e8 Maxime Chevallier 2024-08-21 215 struct ethnl_phy_dump_ctx *ctx = (void *)cb->ctx;
17194be4c8e1e8 Maxime Chevallier 2024-08-21 216 int ret;
17194be4c8e1e8 Maxime Chevallier 2024-08-21 217
17194be4c8e1e8 Maxime Chevallier 2024-08-21 218 BUILD_BUG_ON(sizeof(*ctx) > sizeof(cb->ctx));
17194be4c8e1e8 Maxime Chevallier 2024-08-21 219
17194be4c8e1e8 Maxime Chevallier 2024-08-21 220 ctx->phy_req_info = kzalloc(sizeof(*ctx->phy_req_info), GFP_KERNEL);
17194be4c8e1e8 Maxime Chevallier 2024-08-21 221 if (!ctx->phy_req_info)
17194be4c8e1e8 Maxime Chevallier 2024-08-21 222 return -ENOMEM;
17194be4c8e1e8 Maxime Chevallier 2024-08-21 223
17194be4c8e1e8 Maxime Chevallier 2024-08-21 224 ret = ethnl_parse_header_dev_get(&ctx->phy_req_info->base,
17194be4c8e1e8 Maxime Chevallier 2024-08-21 225 info->attrs[ETHTOOL_A_PHY_HEADER],
17194be4c8e1e8 Maxime Chevallier 2024-08-21 226 sock_net(cb->skb->sk), cb->extack,
17194be4c8e1e8 Maxime Chevallier 2024-08-21 227 false);
17194be4c8e1e8 Maxime Chevallier 2024-08-21 228 ctx->ifindex = 0;
17194be4c8e1e8 Maxime Chevallier 2024-08-21 229 ctx->phy_index = 0;
355b18bd0d5516 Lizhi Xu 2024-09-13 230 ctx->phy_req_info->dev_start_doit = 0;
17194be4c8e1e8 Maxime Chevallier 2024-08-21 231
17194be4c8e1e8 Maxime Chevallier 2024-08-21 232 if (ret)
17194be4c8e1e8 Maxime Chevallier 2024-08-21 233 kfree(ctx->phy_req_info);
^^^^^^^^^^^^^^^^^
Freed

17194be4c8e1e8 Maxime Chevallier 2024-08-21 234
355b18bd0d5516 Lizhi Xu 2024-09-13 @235 if (ctx->phy_req_info->base.dev)
^^^^^^^^^^^^^^^^^
Use after free

355b18bd0d5516 Lizhi Xu 2024-09-13 236 ctx->phy_req_info->dev_start_doit = 1;
355b18bd0d5516 Lizhi Xu 2024-09-13 237
17194be4c8e1e8 Maxime Chevallier 2024-08-21 238 return ret;
17194be4c8e1e8 Maxime Chevallier 2024-08-21 239 }

--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

Next message: Greg KH: "Re: [PATCH v2] Fix spelling errors in file drivers/usb/gadget/udc/m66592-udc.c"
Previous message: Dan Carpenter: "drivers/vdpa/octeon_ep/octep_vdpa_hw.c:143 octep_process_mbox() warn: missing error code? 'ret'"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]