All of lore.kernel.org
 help / color / mirror / Atom feed
From: Dan Carpenter <dan.carpenter@oracle.com>
To: agruen@linbit.com
Cc: drbd-dev@lists.linbit.com
Subject: [Drbd-dev] [bug report] drbd: Backport the "events2" command
Date: Mon, 6 Mar 2017 18:22:51 +0300	[thread overview]
Message-ID: <20170304235644.GA7746@mwanda> (raw)

Hello Andreas Gruenbacher,

The patch a29728463b25: "drbd: Backport the "events2" command" from
Jul 31, 2014, leads to the following static checker warning:

	drivers/block/drbd/drbd_nl.c:4934 get_initial_state()
	error: dereferencing freed memory 'skb'

drivers/block/drbd/drbd_nl.c
  4841  static void notify_initial_state_done(struct sk_buff *skb, unsigned int seq)
  4842  {
  4843          struct drbd_genlmsghdr *dh;
  4844          int err;
  4845  
  4846          err = -EMSGSIZE;
  4847          dh = genlmsg_put(skb, 0, seq, &drbd_genl_family, 0, DRBD_INITIAL_STATE_DONE);
  4848          if (!dh)
  4849                  goto nla_put_failure;
  4850          dh->minor = -1U;
  4851          dh->ret_code = NO_ERROR;
  4852          if (nla_put_notification_header(skb, NOTIFY_EXISTS))
  4853                  goto nla_put_failure;
  4854          genlmsg_end(skb, dh);
  4855          return;
  4856  
  4857  nla_put_failure:
  4858          nlmsg_free(skb);

We free this on error, but it's a void function so it seems like the
callers just assume it succeeded leading to a use after free bug.

(It's also possible that I have misunderstood the refcounting here).

  4859          pr_err("Error %d sending event. Event seq:%u\n", err, seq);
  4860  }

regards,
dan carpenter

             reply	other threads:[~2017-03-06 15:57 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-03-06 15:22 Dan Carpenter [this message]
2017-03-06 15:58 ` [Drbd-dev] [bug report] drbd: Backport the "events2" command Lars Ellenberg
  -- strict thread matches above, loose matches on Subject: below --
2017-02-23 15:55 Dan Carpenter
2017-02-24 15:29 ` Lars Ellenberg

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170304235644.GA7746@mwanda \
    --to=dan.carpenter@oracle.com \
    --cc=agruen@linbit.com \
    --cc=drbd-dev@lists.linbit.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.