From: Cornelia Huck <cohuck@redhat.com>
To: Schspa Shi <schspa@gmail.com>, alex.williamson@redhat.com
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
zhaohui.shi@horizon.ai, Schspa Shi <schspa@gmail.com>
Subject: Re: [PATCH] vfio: Fix double free for caps->buf
Date: Tue, 28 Jun 2022 10:17:52 +0200 [thread overview]
Message-ID: <8735fpcibz.fsf@redhat.com> (raw)
In-Reply-To: <20220628050711.74945-1-schspa@gmail.com>
On Tue, Jun 28 2022, Schspa Shi <schspa@gmail.com> wrote:
> There is a double free, if vfio_iommu_dma_avail_build_caps
> calls failed.
>
> The following call path will call vfio_info_cap_add multiple times
>
> vfio_iommu_type1_get_info
> if (!ret)
> ret = vfio_iommu_dma_avail_build_caps(iommu, &caps);
>
> if (!ret)
> ret = vfio_iommu_iova_build_caps(iommu, &caps);
>
> If krealloc failed on vfio_info_cap_add, there will be a double free.
But it will only call it several times if the last call didn't fail,
won't it?
>
> Signed-off-by: Schspa Shi <schspa@gmail.com>
> ---
> drivers/vfio/vfio.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/vfio/vfio.c b/drivers/vfio/vfio.c
> index 61e71c1154be..a0fb93866f61 100644
> --- a/drivers/vfio/vfio.c
> +++ b/drivers/vfio/vfio.c
> @@ -1812,6 +1812,7 @@ struct vfio_info_cap_header *vfio_info_cap_add(struct vfio_info_cap *caps,
> buf = krealloc(caps->buf, caps->size + size, GFP_KERNEL);
> if (!buf) {
> kfree(caps->buf);
> + caps->buf = NULL;
We could add this as some kind of hardening, I guess. Current callers
all seem to deal with failure correctly.
> caps->size = 0;
> return ERR_PTR(-ENOMEM);
> }
prev parent reply other threads:[~2022-06-28 8:19 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-28 5:07 [PATCH] vfio: Fix double free for caps->buf Schspa Shi
2022-06-28 8:17 ` Cornelia Huck [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8735fpcibz.fsf@redhat.com \
--to=cohuck@redhat.com \
--cc=alex.williamson@redhat.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=schspa@gmail.com \
--cc=zhaohui.shi@horizon.ai \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.