[patch] target/iscsi: double free in lio_target_tiqn

public inbox for kernel-janitors@vger.kernel.org
 help / color / mirror / Atom feed

* [patch]  target/iscsi: double free in lio_target_tiqn_addtpg()
@ 2016-12-13 12:27 Dan Carpenter
  2016-12-13 13:17 ` David Disseldorp
                   ` (3 more replies)
  0 siblings, 4 replies; 5+ messages in thread
From: Dan Carpenter @ 2016-12-13 12:27 UTC (permalink / raw)
  To: kernel-janitors

This iscsit_tpg_add_portal_group() function is only called from
lio_target_tiqn_addtpg().  Both functions free the "tpg" pointer on
error so it's a double free bug.  The memory is allocated in the caller
so it should be freed in the caller and not here.

Fixes: e48354ce078c ("iscsi-target: Add iSCSI fabric support for target v4.1")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

diff --git a/drivers/target/iscsi/iscsi_target_tpg.c b/drivers/target/iscsi/iscsi_target_tpg.c
index 0814e5894a96..205a509b0dfb 100644
--- a/drivers/target/iscsi/iscsi_target_tpg.c
+++ b/drivers/target/iscsi/iscsi_target_tpg.c
@@ -260,7 +260,6 @@ int iscsit_tpg_add_portal_group(struct iscsi_tiqn *tiqn, struct iscsi_portal_gro
 		iscsi_release_param_list(tpg->param_list);
 		tpg->param_list = NULL;
 	}
-	kfree(tpg);
 	return -ENOMEM;
 }
 

^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [patch]  target/iscsi: double free in lio_target_tiqn_addtpg()
  2016-12-13 12:27 [patch] target/iscsi: double free in lio_target_tiqn_addtpg() Dan Carpenter
@ 2016-12-13 13:17 ` David Disseldorp
  2016-12-15 15:43 ` Bart Van Assche
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 5+ messages in thread
From: David Disseldorp @ 2016-12-13 13:17 UTC (permalink / raw)
  To: kernel-janitors

On Tue, 13 Dec 2016 15:27:04 +0300, Dan Carpenter wrote:

> This iscsit_tpg_add_portal_group() function is only called from
> lio_target_tiqn_addtpg().  Both functions free the "tpg" pointer on
> error so it's a double free bug.  The memory is allocated in the caller
> so it should be freed in the caller and not here.
> 
> Fixes: e48354ce078c ("iscsi-target: Add iSCSI fabric support for target v4.1")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> 
> diff --git a/drivers/target/iscsi/iscsi_target_tpg.c b/drivers/target/iscsi/iscsi_target_tpg.c
> index 0814e5894a96..205a509b0dfb 100644
> --- a/drivers/target/iscsi/iscsi_target_tpg.c
> +++ b/drivers/target/iscsi/iscsi_target_tpg.c
> @@ -260,7 +260,6 @@ int iscsit_tpg_add_portal_group(struct iscsi_tiqn *tiqn, struct iscsi_portal_gro
>  		iscsi_release_param_list(tpg->param_list);
>  		tpg->param_list = NULL;
>  	}
> -	kfree(tpg);
>  	return -ENOMEM;
>  }

Looks good, and works for me if I manually trigger the error path.
Reviewed-by: David Disseldorp <ddiss@suse.de>

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [patch] target/iscsi: double free in lio_target_tiqn_addtpg()
  2016-12-13 12:27 [patch] target/iscsi: double free in lio_target_tiqn_addtpg() Dan Carpenter
  2016-12-13 13:17 ` David Disseldorp
@ 2016-12-15 15:43 ` Bart Van Assche
  2016-12-15 20:31 ` Dan Carpenter
  2016-12-16 10:14 ` Bart Van Assche
  3 siblings, 0 replies; 5+ messages in thread
From: Bart Van Assche @ 2016-12-15 15:43 UTC (permalink / raw)
  To: kernel-janitors

On 12/13/2016 01:27 PM, Dan Carpenter wrote:
> This iscsit_tpg_add_portal_group() function is only called from
> lio_target_tiqn_addtpg().  Both functions free the "tpg" pointer on
> error so it's a double free bug.  The memory is allocated in the caller
> so it should be freed in the caller and not here.
> 
> Fixes: e48354ce078c ("iscsi-target: Add iSCSI fabric support for target v4.1")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

Hello Dan,

Do you think a "Cc: stable" tag should be added to this patch?

Bart.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [patch] target/iscsi: double free in lio_target_tiqn_addtpg()
  2016-12-13 12:27 [patch] target/iscsi: double free in lio_target_tiqn_addtpg() Dan Carpenter
  2016-12-13 13:17 ` David Disseldorp
  2016-12-15 15:43 ` Bart Van Assche
@ 2016-12-15 20:31 ` Dan Carpenter
  2016-12-16 10:14 ` Bart Van Assche
  3 siblings, 0 replies; 5+ messages in thread
From: Dan Carpenter @ 2016-12-15 20:31 UTC (permalink / raw)
  To: kernel-janitors

On Thu, Dec 15, 2016 at 04:43:55PM +0100, Bart Van Assche wrote:
> On 12/13/2016 01:27 PM, Dan Carpenter wrote:
> > This iscsit_tpg_add_portal_group() function is only called from
> > lio_target_tiqn_addtpg().  Both functions free the "tpg" pointer on
> > error so it's a double free bug.  The memory is allocated in the caller
> > so it should be freed in the caller and not here.
> > 
> > Fixes: e48354ce078c ("iscsi-target: Add iSCSI fabric support for target v4.1")
> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> 
> Hello Dan,
> 
> Do you think a "Cc: stable" tag should be added to this patch?
> 

It will basically only fail for allocation errors.  It's probably not
super likely.  These are static checker fixes, not something I
encountered in real life.

regards,
dan carpenter

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [patch] target/iscsi: double free in lio_target_tiqn_addtpg()
  2016-12-13 12:27 [patch] target/iscsi: double free in lio_target_tiqn_addtpg() Dan Carpenter
                   ` (2 preceding siblings ...)
  2016-12-15 20:31 ` Dan Carpenter
@ 2016-12-16 10:14 ` Bart Van Assche
  3 siblings, 0 replies; 5+ messages in thread
From: Bart Van Assche @ 2016-12-16 10:14 UTC (permalink / raw)
  To: kernel-janitors

On 12/15/2016 09:31 PM, Dan Carpenter wrote:
> On Thu, Dec 15, 2016 at 04:43:55PM +0100, Bart Van Assche wrote:
>> On 12/13/2016 01:27 PM, Dan Carpenter wrote:
>>> This iscsit_tpg_add_portal_group() function is only called from
>>> lio_target_tiqn_addtpg().  Both functions free the "tpg" pointer on
>>> error so it's a double free bug.  The memory is allocated in the caller
>>> so it should be freed in the caller and not here.
>>>
>>> Fixes: e48354ce078c ("iscsi-target: Add iSCSI fabric support for target v4.1")
>>> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>>
>> Do you think a "Cc: stable" tag should be added to this patch?
> 
> It will basically only fail for allocation errors.  It's probably not
> super likely.  These are static checker fixes, not something I
> encountered in real life.

Hello Dan,

Thanks for the patch and for the additional clarification. I have queued
your patch for kernel version v4.10.

Bart.

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2016-12-16 10:14 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-12-13 12:27 [patch] target/iscsi: double free in lio_target_tiqn_addtpg() Dan Carpenter
2016-12-13 13:17 ` David Disseldorp
2016-12-15 15:43 ` Bart Van Assche
2016-12-15 20:31 ` Dan Carpenter
2016-12-16 10:14 ` Bart Van Assche

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox