* nfc: pn533: suspected double free when pn533_fill_fragment_skbs() return value <= 0
@ 2021-11-05 9:22 YE Chengfeng
2021-11-05 10:10 ` Krzysztof Kozlowski
2021-11-05 12:17 ` Dan Carpenter
0 siblings, 2 replies; 4+ messages in thread
From: YE Chengfeng @ 2021-11-05 9:22 UTC (permalink / raw)
To: krzysztof.kozlowski@canonical.com, davem@davemloft.net,
wengjianfeng@yulong.com, kuba@kernel.org,
dan.carpenter@oracle.com
Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Hi,
We notice that skb is already freed by dev_kfree_skb in pn533_fill_fragment_skbs, but follow error handler branch #line 2288 and #line 2356, skb is freed again, seems like a double free issue. Would you like to have a look at them? We will provide patch for them after confirmation.
https://github.com/torvalds/linux/blob/master/drivers/nfc/pn533/pn533.c#L2288
Thanks so much,
Chengfeng
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: nfc: pn533: suspected double free when pn533_fill_fragment_skbs() return value <= 0
2021-11-05 9:22 nfc: pn533: suspected double free when pn533_fill_fragment_skbs() return value <= 0 YE Chengfeng
@ 2021-11-05 10:10 ` Krzysztof Kozlowski
2021-11-05 12:17 ` Dan Carpenter
1 sibling, 0 replies; 4+ messages in thread
From: Krzysztof Kozlowski @ 2021-11-05 10:10 UTC (permalink / raw)
To: YE Chengfeng, davem@davemloft.net, wengjianfeng@yulong.com,
kuba@kernel.org, dan.carpenter@oracle.com
Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org
On 05/11/2021 10:22, YE Chengfeng wrote:
> Hi,
>
> We notice that skb is already freed by dev_kfree_skb in pn533_fill_fragment_skbs, but follow error handler branch #line 2288 and #line 2356, skb is freed again, seems like a double free issue. Would you like to have a look at them? We will provide patch for them after confirmation.
>
> https://github.com/torvalds/linux/blob/master/drivers/nfc/pn533/pn533.c#L2288
Hi,
Indeed it looks like double free. Please send a patch even without
confirmation - code is better than just text report.
Best regards,
Krzysztof
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: nfc: pn533: suspected double free when pn533_fill_fragment_skbs() return value <= 0
2021-11-05 9:22 nfc: pn533: suspected double free when pn533_fill_fragment_skbs() return value <= 0 YE Chengfeng
2021-11-05 10:10 ` Krzysztof Kozlowski
@ 2021-11-05 12:17 ` Dan Carpenter
2021-11-05 13:37 ` 回复: " YE Chengfeng
1 sibling, 1 reply; 4+ messages in thread
From: Dan Carpenter @ 2021-11-05 12:17 UTC (permalink / raw)
To: YE Chengfeng
Cc: krzysztof.kozlowski@canonical.com, davem@davemloft.net,
wengjianfeng@yulong.com, kuba@kernel.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org
On Fri, Nov 05, 2021 at 09:22:12AM +0000, YE Chengfeng wrote:
> Hi,
>
> We notice that skb is already freed by dev_kfree_skb in
> pn533_fill_fragment_skbs, but follow error handler branch #line 2288
> and #line 2356, skb is freed again, seems like a double free issue.
> Would you like to have a look at them?
>
> https://github.com/torvalds/linux/blob/master/drivers/nfc/pn533/pn533.c#L2288
>
The code is buggy, yes, but it's a bit tricky to fix.
pn533_fill_fragment_skbs() never returns error codes, it returns zero
on error. Specifically it clears out the &dev->fragment_skb list and
then returns the length of the list "skb_queue_len(&dev->fragment_skb)"
which is now zero.
Returning success on transmit failure is fine because the network stack
thinks it was lost somewhere in the network and resends it. But
probably it should return -ENOMEM? But changing the return would make
the other caller into a double free now.
So probably the correct fix is to
1) Make pn533_fill_fragment_skbs() return -ENOMEM on error
2) Don't call dev_kfree_skb(skb); on error in pn533_fill_fragment_skbs().
Only call it on the success path.
3) Change the callers to check for negatives instead of <= 0
> We will provide patch for them after confirmation.
Sounds great. You can fix it however you want. My ideas are a
suggestion only.
regards,
dan carpenter
^ permalink raw reply [flat|nested] 4+ messages in thread
* 回复: nfc: pn533: suspected double free when pn533_fill_fragment_skbs() return value <= 0
2021-11-05 12:17 ` Dan Carpenter
@ 2021-11-05 13:37 ` YE Chengfeng
0 siblings, 0 replies; 4+ messages in thread
From: YE Chengfeng @ 2021-11-05 13:37 UTC (permalink / raw)
To: Dan Carpenter
Cc: krzysztof.kozlowski@canonical.com, davem@davemloft.net,
wengjianfeng@yulong.com, kuba@kernel.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org
Thanks for your advice. I follow it and send a v2 patch, is it correct?
Best regards,
Chengfeng
-----邮件原件-----
发件人: Dan Carpenter <dan.carpenter@oracle.com>
发送时间: 2021年11月5日 20:17
收件人: YE Chengfeng <cyeaa@connect.ust.hk>
抄送: krzysztof.kozlowski@canonical.com; davem@davemloft.net; wengjianfeng@yulong.com; kuba@kernel.org; netdev@vger.kernel.org; linux-kernel@vger.kernel.org
主题: Re: nfc: pn533: suspected double free when pn533_fill_fragment_skbs() return value <= 0
On Fri, Nov 05, 2021 at 09:22:12AM +0000, YE Chengfeng wrote:
> Hi,
>
> We notice that skb is already freed by dev_kfree_skb in
> pn533_fill_fragment_skbs, but follow error handler branch #line 2288
> and #line 2356, skb is freed again, seems like a double free issue.
> Would you like to have a look at them?
>
> https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgith
> ub.com%2Ftorvalds%2Flinux%2Fblob%2Fmaster%2Fdrivers%2Fnfc%2Fpn533%2Fpn
> 533.c%23L2288&data=04%7C01%7Ccyeaa%40connect.ust.hk%7C29df72d1f8a3
> 4473a15008d9a05642cf%7C6c1d415239d044ca88d9b8d6ddca0708%7C1%7C0%7C6377
> 17114624016520%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2l
> uMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=9nssVI5NtyEUvnH6k
> NP60dqSmtgfWILoKXimcJWIiKc%3D&reserved=0
>
The code is buggy, yes, but it's a bit tricky to fix.
pn533_fill_fragment_skbs() never returns error codes, it returns zero on error. Specifically it clears out the &dev->fragment_skb list and then returns the length of the list "skb_queue_len(&dev->fragment_skb)"
which is now zero.
Returning success on transmit failure is fine because the network stack thinks it was lost somewhere in the network and resends it. But probably it should return -ENOMEM? But changing the return would make the other caller into a double free now.
So probably the correct fix is to
1) Make pn533_fill_fragment_skbs() return -ENOMEM on error
2) Don't call dev_kfree_skb(skb); on error in pn533_fill_fragment_skbs().
Only call it on the success path.
3) Change the callers to check for negatives instead of <= 0
> We will provide patch for them after confirmation.
Sounds great. You can fix it however you want. My ideas are a suggestion only.
regards,
dan carpenter
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-11-05 13:37 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-11-05 9:22 nfc: pn533: suspected double free when pn533_fill_fragment_skbs() return value <= 0 YE Chengfeng
2021-11-05 10:10 ` Krzysztof Kozlowski
2021-11-05 12:17 ` Dan Carpenter
2021-11-05 13:37 ` 回复: " YE Chengfeng
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox