public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed
From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
To: Dan Carpenter <error27@gmail.com>
Cc: linux1394-devel@lists.sourceforge.net,
	linux-kernel@vger.kernel.org, alsa-devel@alsa-project.org
Subject: Re: [bug report] firewire: cdev: obsolete NULL check to detect IEC 61883-1 FCP region
Date: Mon, 27 Feb 2023 21:49:11 +0900	[thread overview]
Message-ID: <Y/ymx6WZIAlrtjLc@workstation> (raw)
In-Reply-To: <Y/yOy6Ddz1263Zln@kili>

Hi,
(C.C.ed to LKML and alsa-devel)

On Mon, Feb 27, 2023 at 02:06:51PM +0300, Dan Carpenter wrote:
> Hello Takashi Sakamoto,
> 
> The patch e699600232e0: "firewire: cdev: obsolete NULL check to
> detect IEC 61883-1 FCP region" from Jan 20, 2023, leads to the
> following Smatch static checker warning:
> 
> 	drivers/firewire/core-transaction.c:947 handle_fcp_region_request()
> 	warn: passing freed memory 'request'
> 
> drivers/firewire/core-transaction.c
>     930                 fw_send_response(card, request, RCODE_TYPE_ERROR);
>     931 
>     932                 return;
>     933         }
>     934 
>     935         rcu_read_lock();
>     936         list_for_each_entry_rcu(handler, &address_handler_list, link) {
>     937                 if (is_enclosing_handler(handler, offset, request->length))
>     938                         handler->address_callback(card, request, tcode,
>                                                                 ^^^^^^^
> This warning is because fwnet_receive_packet() has a kfree(r) on the
> first return path.
> 
>     939                                                   destination, source,
>     940                                                   p->generation, offset,
>     941                                                   request->data,
>     942                                                   request->length,
>     943                                                   handler->callback_data);
>     944         }
>     945         rcu_read_unlock();
>     946 
> --> 947         fw_send_response(card, request, RCODE_COMPLETE);
>     948 }

Thanks for your report.

Fortunately, We can not see the access to the released memory since the
fwnet's address handler is registered to high memory region
(0x'0001'0000'0000 to 0x'ffff'e000'0000). The region does not overlap
IEC 61883-1 FCP region (0x'ffff'f000'0b00 to 0x'ffff'f000'0f00). The
handler is called from handle_exclusive_region_request() instead of
handle_fcp_region_request().

However, the code in fwnet is against the design of address handler
apparently. The callee never release the memory for the request structure
directly. It should be done by the call of fw_send_response(). I'll
correct it for next merge window; i.e. for v6.4.


Thanks

Takashi Sakamoto

           reply	other threads:[~2023-02-27 12:49 UTC|newest]

Thread overview: expand[flat|nested]  mbox.gz  Atom feed
 [parent not found: <Y/yOy6Ddz1263Zln@kili>]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Y/ymx6WZIAlrtjLc@workstation \
    --to=o-takashi@sakamocchi.jp \
    --cc=alsa-devel@alsa-project.org \
    --cc=error27@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux1394-devel@lists.sourceforge.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox