Re: [PATCH v1] qlcnic: prevent ->dcb use-after-free on qlcnic_dcb_enable() failure

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
To: Daniil Tatianin <d-tatianin@yandex-team.ru>
Cc: Shahed Shaikh <shshaikh@marvell.com>,
	Manish Chopra <manishc@marvell.com>,
	GR-Linux-NIC-Dev@marvell.com,
	"David S. Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
	netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v1] qlcnic: prevent ->dcb use-after-free on qlcnic_dcb_enable() failure
Date: Wed, 21 Dec 2022 19:40:26 +0100	[thread overview]
Message-ID: <Y6NTGjcM8aUE0M5w@localhost.localdomain> (raw)
In-Reply-To: <8c49acd6-7195-caaf-425c-b9ed9290423d@yandex-team.ru>

On Wed, Dec 21, 2022 at 10:47:29AM +0300, Daniil Tatianin wrote:
> On 12/20/22 4:32 PM, Michal Swiatkowski wrote:
> > On Tue, Dec 20, 2022 at 03:56:49PM +0300, Daniil Tatianin wrote:
> > > adapter->dcb would get silently freed inside qlcnic_dcb_enable() in
> > > case qlcnic_dcb_attach() would return an error, which always happens
> > > under OOM conditions. This would lead to use-after-free because both
> > > of the existing callers invoke qlcnic_dcb_get_info() on the obtained
> > > pointer, which is potentially freed at that point.
> > > 
> > > Propagate errors from qlcnic_dcb_enable(), and instead free the dcb
> > > pointer at callsite.
> > > 
> > > Found by Linux Verification Center (linuxtesting.org) with the SVACE
> > > static analysis tool.
> > > 
> > > Signed-off-by: Daniil Tatianin <d-tatianin@yandex-team.ru>
> > 
> > Please add Fix tag and net as target (net-next is close till the end of
> > this year)
> > 
> Sorry, I'll include a fixes tag.
> Could you please explain what I would have to do to add net as target?

Sorry, maybe it was bad wording. I meant to have PATCH net v2 in title.
For example by adding to git format-patch:
--subject-prefix="PATCH net v2"

> > > ---
> > >   drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 9 ++++++++-
> > >   drivers/net/ethernet/qlogic/qlcnic/qlcnic_dcb.h       | 5 ++---
> > >   drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c      | 9 ++++++++-
> > >   3 files changed, 18 insertions(+), 5 deletions(-)
> > > 
> > > diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c
> > > index dbb800769cb6..465f149d94d4 100644
> > > --- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c
> > > +++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c
> > > @@ -2505,7 +2505,14 @@ int qlcnic_83xx_init(struct qlcnic_adapter *adapter)
> > >   		goto disable_mbx_intr;
> > >   	qlcnic_83xx_clear_function_resources(adapter);
> > > -	qlcnic_dcb_enable(adapter->dcb);
> > > +
> > > +	err = qlcnic_dcb_enable(adapter->dcb);
> > > +	if (err) {
> > > +		qlcnic_clear_dcb_ops(adapter->dcb);
> > > +		adapter->dcb = NULL;
> > > +		goto disable_mbx_intr;
> > > +	}
> > 
> > Maybe I miss sth but it looks like there can be memory leak.
> > For example if error in attach happen after allocating of dcb->cfg.
> > Isn't it better to call qlcnic_dcb_free instead of qlcnic_clear_dcb_ops?
> I think you're right, if attach fails midway then we might leak cfg or
> something else.
> I'll use qlcnic_dcb_free() instead and completely remove
> qlcnic_clear_dcb_ops() as it
> seems to be unused and relies on dcb being in a very specific state.

Great, thanks

[...]

     prev parent reply	other threads:[~2022-12-21 18:40 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-12-20 12:56 [PATCH v1] qlcnic: prevent ->dcb use-after-free on qlcnic_dcb_enable() failure Daniil Tatianin
2022-12-20 13:32 ` Michal Swiatkowski
2022-12-21  7:47   ` Daniil Tatianin
2022-12-21 18:40     ` Michal Swiatkowski [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Y6NTGjcM8aUE0M5w@localhost.localdomain \
    --to=michal.swiatkowski@linux.intel.com \
    --cc=GR-Linux-NIC-Dev@marvell.com \
    --cc=d-tatianin@yandex-team.ru \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=manishc@marvell.com \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=shshaikh@marvell.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.