From: Jakub Kicinski <kuba@kernel.org>
To: Dinghao Liu <dinghao.liu@zju.edu.cn>
Cc: Ariel Elior <aelior@marvell.com>,
Manish Chopra <manishc@marvell.com>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Paolo Abeni <pabeni@redhat.com>,
Yuval Mintz <Yuval.Mintz@qlogic.com>,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] [v2] qed: Fix a potential use-after-free in qed_cxt_tables_alloc
Date: Fri, 8 Dec 2023 15:59:57 -0800 [thread overview]
Message-ID: <20231208155957.088c372b@kernel.org> (raw)
In-Reply-To: <20231207093606.17868-1-dinghao.liu@zju.edu.cn>
On Thu, 7 Dec 2023 17:36:06 +0800 Dinghao Liu wrote:
> v2: -Change the bug type from double-free to use-after-free.
> -Move the null check against p_mngr->ilt_shadow to the beginning
> of the function qed_ilt_shadow_free().
> -When kcalloc() fails in qed_ilt_shadow_alloc(), just return
> because there is nothing to free.
This refactoring is not acceptable as part of a fix, sorry.
> @@ -933,6 +936,7 @@ static void qed_ilt_shadow_free(struct qed_hwfn *p_hwfn)
> p_dma->virt_addr = NULL;
> }
> kfree(p_mngr->ilt_shadow);
> + p_hwfn->p_cxt_mngr->ilt_shadow = NULL;
Why do you dereference p_hwfn here?
Seems more natural to use:
p_mngr->ilt_shadow = NULL;
since that's the exact pointer that was passed to free.
--
pw-bot: cr
next prev parent reply other threads:[~2023-12-09 0:00 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-07 9:36 [PATCH] [v2] qed: Fix a potential use-after-free in qed_cxt_tables_alloc Dinghao Liu
2023-12-07 9:55 ` Przemek Kitszel
2023-12-08 23:59 ` Jakub Kicinski [this message]
2023-12-09 12:40 ` dinghao.liu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231208155957.088c372b@kernel.org \
--to=kuba@kernel.org \
--cc=Yuval.Mintz@qlogic.com \
--cc=aelior@marvell.com \
--cc=davem@davemloft.net \
--cc=dinghao.liu@zju.edu.cn \
--cc=edumazet@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=manishc@marvell.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.