[PATCH] scsi: bnx2fc: Fix skb double free in bnx2fc

Linux SCSI subsystem development
 help / color / mirror / Atom feed

* [PATCH] scsi: bnx2fc: Fix skb double free in bnx2fc_rcv()
@ 2022-11-14 11:06 Wei Yongjun
  2023-12-14 10:46 ` Dan Carpenter
  2023-12-19  2:19 ` Martin K. Petersen
  0 siblings, 2 replies; 4+ messages in thread
From: Wei Yongjun @ 2022-11-14 11:06 UTC (permalink / raw)
  To: Maurizio Lombardi, Chad Dupuis, Saurav Kashyap, Javed Hasan,
	GR-QLogic-Storage-Upstream, James E.J. Bottomley,
	Martin K. Petersen
  Cc: Wei Yongjun, linux-scsi

From: Wei Yongjun <weiyongjun1@huawei.com>

skb_share_check() already drop the reference of skb when return
NULL, using kfree_skb() in the error handling path lead to skb
double free.

Fix it by remve the variable tmp_skb, and return directly when
skb_share_check() return NULL.

Fixes: 01a4cc4d0cd6 ("bnx2fc: do not add shared skbs to the fcoe_rx_list")
Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
---
 drivers/scsi/bnx2fc/bnx2fc_fcoe.c | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/drivers/scsi/bnx2fc/bnx2fc_fcoe.c b/drivers/scsi/bnx2fc/bnx2fc_fcoe.c
index 05ddbb9bb7d8..451a58e0fd96 100644
--- a/drivers/scsi/bnx2fc/bnx2fc_fcoe.c
+++ b/drivers/scsi/bnx2fc/bnx2fc_fcoe.c
@@ -429,7 +429,6 @@ static int bnx2fc_rcv(struct sk_buff *skb, struct net_device *dev,
 	struct fcoe_ctlr *ctlr;
 	struct fcoe_rcv_info *fr;
 	struct fcoe_percpu_s *bg;
-	struct sk_buff *tmp_skb;
 
 	interface = container_of(ptype, struct bnx2fc_interface,
 				 fcoe_packet_type);
@@ -441,11 +440,9 @@ static int bnx2fc_rcv(struct sk_buff *skb, struct net_device *dev,
 		goto err;
 	}
 
-	tmp_skb = skb_share_check(skb, GFP_ATOMIC);
-	if (!tmp_skb)
-		goto err;
-
-	skb = tmp_skb;
+	skb = skb_share_check(skb, GFP_ATOMIC);
+	if (!skb)
+		return -1;
 
 	if (unlikely(eth_hdr(skb)->h_proto != htons(ETH_P_FCOE))) {
 		printk(KERN_ERR PFX "bnx2fc_rcv: Wrong FC type frame\n");
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] scsi: bnx2fc: Fix skb double free in bnx2fc_rcv()
  2022-11-14 11:06 [PATCH] scsi: bnx2fc: Fix skb double free in bnx2fc_rcv() Wei Yongjun
@ 2023-12-14 10:46 ` Dan Carpenter
  2023-12-19  1:34   ` Martin K. Petersen
  2023-12-19  2:19 ` Martin K. Petersen
  1 sibling, 1 reply; 4+ messages in thread
From: Dan Carpenter @ 2023-12-14 10:46 UTC (permalink / raw)
  To: Wei Yongjun
  Cc: Maurizio Lombardi, Chad Dupuis, Saurav Kashyap, Javed Hasan,
	GR-QLogic-Storage-Upstream, James E.J. Bottomley,
	Martin K. Petersen, Wei Yongjun, linux-scsi

What ever happened to this patch?  I was reviewing old use after free
static checker warnings (Smatch) and came across it.  The patch looks
correct to me (I wrote the exact same patch myself before seeing this
one on lore).

regards,
dan carpenter


On Mon, Nov 14, 2022 at 11:06:26AM +0000, Wei Yongjun wrote:
> From: Wei Yongjun <weiyongjun1@huawei.com>
> 
> skb_share_check() already drop the reference of skb when return
> NULL, using kfree_skb() in the error handling path lead to skb
> double free.
> 
> Fix it by remve the variable tmp_skb, and return directly when
> skb_share_check() return NULL.
> 
> Fixes: 01a4cc4d0cd6 ("bnx2fc: do not add shared skbs to the fcoe_rx_list")
> Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
> ---
>  drivers/scsi/bnx2fc/bnx2fc_fcoe.c | 9 +++------
>  1 file changed, 3 insertions(+), 6 deletions(-)
> 
> diff --git a/drivers/scsi/bnx2fc/bnx2fc_fcoe.c b/drivers/scsi/bnx2fc/bnx2fc_fcoe.c
> index 05ddbb9bb7d8..451a58e0fd96 100644
> --- a/drivers/scsi/bnx2fc/bnx2fc_fcoe.c
> +++ b/drivers/scsi/bnx2fc/bnx2fc_fcoe.c
> @@ -429,7 +429,6 @@ static int bnx2fc_rcv(struct sk_buff *skb, struct net_device *dev,
>  	struct fcoe_ctlr *ctlr;
>  	struct fcoe_rcv_info *fr;
>  	struct fcoe_percpu_s *bg;
> -	struct sk_buff *tmp_skb;
>  
>  	interface = container_of(ptype, struct bnx2fc_interface,
>  				 fcoe_packet_type);
> @@ -441,11 +440,9 @@ static int bnx2fc_rcv(struct sk_buff *skb, struct net_device *dev,
>  		goto err;
>  	}
>  
> -	tmp_skb = skb_share_check(skb, GFP_ATOMIC);
> -	if (!tmp_skb)
> -		goto err;
> -
> -	skb = tmp_skb;
> +	skb = skb_share_check(skb, GFP_ATOMIC);
> +	if (!skb)
> +		return -1;
>  
>  	if (unlikely(eth_hdr(skb)->h_proto != htons(ETH_P_FCOE))) {
>  		printk(KERN_ERR PFX "bnx2fc_rcv: Wrong FC type frame\n");
> -- 
> 2.34.1
> 

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] scsi: bnx2fc: Fix skb double free in bnx2fc_rcv()
  2023-12-14 10:46 ` Dan Carpenter
@ 2023-12-19  1:34   ` Martin K. Petersen
  0 siblings, 0 replies; 4+ messages in thread
From: Martin K. Petersen @ 2023-12-19  1:34 UTC (permalink / raw)
  To: Dan Carpenter
  Cc: Wei Yongjun, Maurizio Lombardi, Chad Dupuis, Saurav Kashyap,
	Javed Hasan, GR-QLogic-Storage-Upstream, James E.J. Bottomley,
	Martin K. Petersen, Wei Yongjun, linux-scsi


Dan,

> What ever happened to this patch? I was reviewing old use after free
> static checker warnings (Smatch) and came across it. The patch looks
> correct to me (I wrote the exact same patch myself before seeing this
> one on lore).

Not sure what happened. Patchwork had it tagged as "New/archived" which
is really peculiar.

In any case I have applied the patch to 6.7/scsi-fixes, thanks!

-- 
Martin K. Petersen	Oracle Linux Engineering

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] scsi: bnx2fc: Fix skb double free in bnx2fc_rcv()
  2022-11-14 11:06 [PATCH] scsi: bnx2fc: Fix skb double free in bnx2fc_rcv() Wei Yongjun
  2023-12-14 10:46 ` Dan Carpenter
@ 2023-12-19  2:19 ` Martin K. Petersen
  1 sibling, 0 replies; 4+ messages in thread
From: Martin K. Petersen @ 2023-12-19  2:19 UTC (permalink / raw)
  To: Maurizio Lombardi, Chad Dupuis, Saurav Kashyap, Javed Hasan,
	GR-QLogic-Storage-Upstream, James E.J. Bottomley, Wei Yongjun
  Cc: Martin K . Petersen, Wei Yongjun, linux-scsi

On Mon, 14 Nov 2022 11:06:26 +0000, Wei Yongjun wrote:

> skb_share_check() already drop the reference of skb when return
> NULL, using kfree_skb() in the error handling path lead to skb
> double free.
> 
> Fix it by remve the variable tmp_skb, and return directly when
> skb_share_check() return NULL.
> 
> [...]

Applied to 6.7/scsi-fixes, thanks!

[1/1] scsi: bnx2fc: Fix skb double free in bnx2fc_rcv()
      https://git.kernel.org/mkp/scsi/c/08c94d80b2da

-- 
Martin K. Petersen	Oracle Linux Engineering

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2023-12-19  2:20 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-11-14 11:06 [PATCH] scsi: bnx2fc: Fix skb double free in bnx2fc_rcv() Wei Yongjun
2023-12-14 10:46 ` Dan Carpenter
2023-12-19  1:34   ` Martin K. Petersen
2023-12-19  2:19 ` Martin K. Petersen

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox