From: Sukrut Bellary <sukrut.bellary@linux.com>
To: Dan Carpenter <dan.carpenter@linaro.org>
Cc: Abel Vesa <abel.vesa@linaro.org>,
Srinivas Kandagatla <srinivas.kandagatla@linaro.org>,
Amol Maheshwari <amahesh@qti.qualcomm.com>,
Arnd Bergmann <arnd@arndb.de>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
linux-arm-msm@vger.kernel.org, linux-kernel@vger.kernel.org,
kernel-janitors@vger.kernel.org,
Shuah Khan <skhan@linuxfoundation.org>
Subject: Re: [PATCH] misc: fastrpc: Fix double free of 'buf' in error path
Date: Thu, 18 May 2023 19:45:22 -0700 [thread overview]
Message-ID: <ZGbiwqMxnFFvS7y8@dev-linux.lan> (raw)
In-Reply-To: <9194ebdf-f335-4cd6-bf89-bb4f86a57784@kili.mountain>
On Thu, May 18, 2023 at 01:55:07PM +0300, Dan Carpenter wrote:
> On Thu, May 18, 2023 at 03:08:29AM -0700, Sukrut Bellary wrote:
> > smatch warning:
> > drivers/misc/fastrpc.c:1926 fastrpc_req_mmap() error: double free of 'buf'
> >
> > In fastrpc_req_mmap() error path, the fastrpc buffer is freed in
> > fastrpc_req_munmap_impl() if unmap is successful.
> >
> > But in the end, there is an unconditional call to fastrpc_buf_free().
> > So the above case triggers the double free of fastrpc buf.
> >
> > Fix this by avoiding the call to the second fastrpc_buf_free() if
> > fastrpc_req_munmap_impl() is successful.
> > 'err' is not updated as it needs to retain the err returned by
> > qcom_scm_assign_mem(), which is the starting point of this error path.
> >
> > This is based on static analysis only. Compilation tested.
>
> Please don't put this in the commit message. We want everyone reading
> the git log to believe everything is 100% rock solid. :P
>
> We need a Fixes tag.
> Fixes: 72fa6f7820c4 ("misc: fastrpc: Rework fastrpc_req_munmap")
>
> Let's add Abel to the CC list.
>
Thank you for reviewing the patch.
I will add a Fixes tag and fix the commit message.
> >
> > Reviewed-by: Shuah Khan <skhan@linuxfoundation.org>
> > Signed-off-by: Sukrut Bellary <sukrut.bellary@linux.com>
> > ---
> ^^^
> Put testing caveats here instead, where it will be removed from the
> git log.
>
Shall I add "This is based on static analysis only. Compilation tested"
here
or
is it not required to mention this for all the fixes?
Can you please recommend what's is the preferred method I need to follow?
> > drivers/misc/fastrpc.c | 5 ++++-
> > 1 file changed, 4 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c
> > index f48466960f1b..1c3ab78f274f 100644
> > --- a/drivers/misc/fastrpc.c
> > +++ b/drivers/misc/fastrpc.c
> > @@ -1921,7 +1921,10 @@ static int fastrpc_req_mmap(struct fastrpc_user *fl, char __user *argp)
> > return 0;
> >
> > err_assign:
> > - fastrpc_req_munmap_impl(fl, buf);
> > + if (!fastrpc_req_munmap_impl(fl, buf)) {
> > + /* buf is freed */
> > + return err;
> > + }
> > err_invoke:
> > fastrpc_buf_free(buf);
>
> This bug is real but the fix is not complete.
>
> drivers/misc/fastrpc.c
> 1911 if (err) {
> 1912 dev_err(fl->sctx->dev, "Failed to assign memory phys 0x%llx size 0x%llx err %d",
> 1913 buf->phys, buf->size, err);
> 1914 goto err_assign;
> 1915 }
> 1916 }
> 1917
> 1918 spin_lock(&fl->lock);
> 1919 list_add_tail(&buf->node, &fl->mmaps);
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> buf needs to be removed from the list before we free it, otherwise it
> leads to a use after free. The fastrpc_req_munmap_impl() function does
> that but here this function just calls fastrpc_buf_free().
>
> 1920 spin_unlock(&fl->lock);
> 1921
> 1922 if (copy_to_user((void __user *)argp, &req, sizeof(req))) {
> 1923 err = -EFAULT;
> 1924 goto err_assign;
> 1925 }
> 1926
> 1927 dev_dbg(dev, "mmap\t\tpt 0x%09lx OK [len 0x%08llx]\n",
> 1928 buf->raddr, buf->size);
> 1929
> 1930 return 0;
> 1931
> 1932 err_assign:
> 1933 fastrpc_req_munmap_impl(fl, buf);
> 1934 err_invoke:
> 1935 fastrpc_buf_free(buf);
> 1936
> 1937 return err;
> 1938 }
>
Nice catch!
I will address this in the next version.
Regards,
Sukrut Bellary
> regards,
> dan carpenter
next prev parent reply other threads:[~2023-05-19 2:45 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-18 10:08 [PATCH] misc: fastrpc: Fix double free of 'buf' in error path Sukrut Bellary
2023-05-18 10:55 ` Dan Carpenter
2023-05-19 2:45 ` Sukrut Bellary [this message]
2023-05-19 4:16 ` Dan Carpenter
2023-05-19 6:12 ` Sukrut Bellary
2023-05-19 9:52 ` Srinivas Kandagatla
2023-05-19 10:22 ` Dan Carpenter
2023-05-19 10:39 ` Srinivas Kandagatla
2023-05-19 22:57 ` Sukrut Bellary
2023-06-01 4:45 ` Sukrut Bellary
2023-06-01 7:00 ` Dan Carpenter
2023-06-01 19:09 ` Sukrut Bellary
2023-05-19 10:58 ` Dan Carpenter
2023-05-19 23:39 ` Sukrut Bellary
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZGbiwqMxnFFvS7y8@dev-linux.lan \
--to=sukrut.bellary@linux.com \
--cc=abel.vesa@linaro.org \
--cc=amahesh@qti.qualcomm.com \
--cc=arnd@arndb.de \
--cc=dan.carpenter@linaro.org \
--cc=gregkh@linuxfoundation.org \
--cc=kernel-janitors@vger.kernel.org \
--cc=linux-arm-msm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=skhan@linuxfoundation.org \
--cc=srinivas.kandagatla@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).