All of lore.kernel.org
 help / color / mirror / Atom feed
From: Dan Carpenter <dan.carpenter@oracle.com>
To: kernel-janitors@vger.kernel.org
Subject: [bug report] net/sched: use the hardware intermediate representation for matchall
Date: Wed, 08 May 2019 07:17:04 +0000	[thread overview]
Message-ID: <20190508071704.GA11889@mwanda> (raw)

Hello Pieter Jansen van Vuuren,

The patch f00cbf196814: "net/sched: use the hardware intermediate
representation for matchall" from May 4, 2019, leads to the following
static checker warning:

	net/sched/cls_matchall.c:317 mall_reoffload()
	error: double free of 'cls_mall.rule'

net/sched/cls_matchall.c
   286  static int mall_reoffload(struct tcf_proto *tp, bool add, tc_setup_cb_t *cb,
   287                            void *cb_priv, struct netlink_ext_ack *extack)
   288  {
   289          struct cls_mall_head *head = rtnl_dereference(tp->root);
   290          struct tc_cls_matchall_offload cls_mall = {};
   291          struct tcf_block *block = tp->chain->block;
   292          int err;
   293  
   294          if (tc_skip_hw(head->flags))
   295                  return 0;
   296  
   297          cls_mall.rule = flow_rule_alloc(tcf_exts_num_actions(&head->exts));
   298          if (!cls_mall.rule)
   299                  return -ENOMEM;
   300  
   301          tc_cls_common_offload_init(&cls_mall.common, tp, head->flags, block,
   302                                     extack);
   303          cls_mall.command = add ?
   304                  TC_CLSMATCHALL_REPLACE : TC_CLSMATCHALL_DESTROY;
   305          cls_mall.cookie = (unsigned long)head;
   306  
   307          err = tc_setup_flow_action(&cls_mall.rule->action, &head->exts);
   308          if (err) {
   309                  kfree(cls_mall.rule);
                        ^^^^^^^^^^^^^^^^^^^
   310                  if (add && tc_skip_sw(head->flags)) {
   311                          NL_SET_ERR_MSG_MOD(extack, "Failed to setup flow action");
   312                          return err;
   313                  }

My guess is that there should be a "return err;" here?

   314          }
   315  
   316          err = cb(TC_SETUP_CLSMATCHALL, &cls_mall, cb_priv);
                      ^^
I did check whether the cb() function pointers re-allocate ->rule and
it doesn't look like it.

   317          kfree(cls_mall.rule);
                ^^^^^^^^^^^^^^^^^^^^
   318  
   319          if (err) {
   320                  if (add && tc_skip_sw(head->flags))
   321                          return err;
   322                  return 0;
   323          }

regards,
dan carpenter

             reply	other threads:[~2019-05-08  7:17 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-05-08  7:17 Dan Carpenter [this message]
2019-05-08  7:41 ` [bug report] net/sched: use the hardware intermediate representation for matchall Pieter Jansen van Vuuren
2019-05-08  8:19 ` Dan Carpenter
2019-05-08  8:53 ` Pieter Jansen van Vuuren

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190508071704.GA11889@mwanda \
    --to=dan.carpenter@oracle.com \
    --cc=kernel-janitors@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.