From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: smtp.subspace.kernel.org; dkim=none Received: from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc [IPv6:2a0a:51c0:0:237:300::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6FCA0194; Sat, 18 Nov 2023 04:02:49 -0800 (PST) Received: from fw by Chamillionaire.breakpoint.cc with local (Exim 4.92) (envelope-from ) id 1r4K1z-0002nv-2p; Sat, 18 Nov 2023 13:02:35 +0100 Date: Sat, 18 Nov 2023 13:02:35 +0100 From: Florian Westphal To: Kamil Duljas Cc: Jakub Kicinski , "David S . Miller" , Eric Dumazet , Paolo Abeni , Jiri Pirko , Johannes Berg , netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] genetlink: Prevent memory leak when krealloc fail Message-ID: <20231118120235.GA30289@breakpoint.cc> References: <20231118113357.1999-1-kamil.duljas@gmail.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20231118113357.1999-1-kamil.duljas@gmail.com> User-Agent: Mutt/1.10.1 (2018-07-13) Kamil Duljas wrote: > genl_allocate_reserve_groups() allocs new memory in while loop > but if krealloc fail, the memory allocated by kzalloc is not freed. > It seems allocated memory is unnecessary when the function > returns -ENOMEM Why should it be free'd? mc_groups is not a local variable. > new_groups = krealloc(mc_groups, nlen, > GFP_KERNEL); > - if (!new_groups) > + if (!new_groups) { > + kfree(mc_groups); > return -ENOMEM; > + } How did you test this? AFAICS this results in use-after-free for every access to mc_groups after this error path is taken. Existing code looks correct, we can't grow mc_groups and return an error.