From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id EEFC6C4332D for ; Thu, 19 Mar 2020 13:07:41 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id C554920B1F for ; Thu, 19 Mar 2020 13:07:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1584623261; bh=LPP5v4SZNWrBxVbQHTXg15znv7K1qgCA0w3y/2YNjgA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=D4rXP7f1zn/vVNhppemrYmfVAdM9r8RWkRTFv1hjisG6ALLtkIcIPMoUaGJQAkDfo jb9wpqn8daDJvnf5RRO0MImbrdRbf+9aWZ+Qm1/oP8hcb3XHpVfljRE4Our3e8LHEo IyZ/h8Ev4ZVwrrRmU7v6oZKYVccbxQ8wopZhxsbg= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727239AbgCSNHl (ORCPT ); Thu, 19 Mar 2020 09:07:41 -0400 Received: from mail.kernel.org ([198.145.29.99]:51476 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727952AbgCSNHk (ORCPT ); Thu, 19 Mar 2020 09:07:40 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id B3A3B20842; Thu, 19 Mar 2020 13:07:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1584623260; bh=LPP5v4SZNWrBxVbQHTXg15znv7K1qgCA0w3y/2YNjgA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=HFZGXipBFIm1C6CA4uua7usvrXBEDH4gmLBLhCVuxpY8uCcDSBkQINdpy2qi8O7KF kY/3IemTwCJGqv77j3ZF8ofGhhhuL4qBv8vXQxIEv6TnMvfQnKEsAPuEA6dBvaCgsp fbBDHBFj4EmXGzbTw0j+LRQEFmuyO+0GR1p7Ts/g= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Greg Kroah-Hartman , Sven Eckelmann , Marek Lindner , Antonio Quartulli Subject: [PATCH 4.4 42/93] batman-adv: Fix unexpected free of bcast_own on add_if error Date: Thu, 19 Mar 2020 13:59:46 +0100 Message-Id: <20200319123938.445830048@linuxfoundation.org> X-Mailer: git-send-email 2.25.2 In-Reply-To: <20200319123924.795019515@linuxfoundation.org> References: <20200319123924.795019515@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Sven Eckelmann commit f7dcdf5fdbe8fec7670d8f65a5db595c98e0ecab upstream. The function batadv_iv_ogm_orig_add_if allocates new buffers for bcast_own and bcast_own_sum. It is expected that these buffers are unchanged in case either bcast_own or bcast_own_sum couldn't be resized. But the error handling of this function frees the already resized buffer for bcast_own when the allocation of the new bcast_own_sum buffer failed. This will lead to an invalid memory access when some code will try to access bcast_own. Instead the resized new bcast_own buffer has to be kept. This will not lead to problems because the size of the buffer was only increased and therefore no user of the buffer will try to access bytes outside of the new buffer. Fixes: d0015fdd3d2c ("batman-adv: provide orig_node routing API") Signed-off-by: Sven Eckelmann Signed-off-by: Marek Lindner Signed-off-by: Antonio Quartulli Signed-off-by: Greg Kroah-Hartman --- net/batman-adv/bat_iv_ogm.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) --- a/net/batman-adv/bat_iv_ogm.c +++ b/net/batman-adv/bat_iv_ogm.c @@ -155,10 +155,8 @@ static int batadv_iv_ogm_orig_add_if(str orig_node->bat_iv.bcast_own = data_ptr; data_ptr = kmalloc_array(max_if_num, sizeof(u8), GFP_ATOMIC); - if (!data_ptr) { - kfree(orig_node->bat_iv.bcast_own); + if (!data_ptr) goto unlock; - } memcpy(data_ptr, orig_node->bat_iv.bcast_own_sum, (max_if_num - 1) * sizeof(u8));