From: Dan Carpenter <dan.carpenter@oracle.com>
To: YE Chengfeng <cyeaa@connect.ust.hk>
Cc: "krzysztof.kozlowski@canonical.com"
<krzysztof.kozlowski@canonical.com>,
"davem@davemloft.net" <davem@davemloft.net>,
"wengjianfeng@yulong.com" <wengjianfeng@yulong.com>,
"kuba@kernel.org" <kuba@kernel.org>,
"netdev@vger.kernel.org" <netdev@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: nfc: pn533: suspected double free when pn533_fill_fragment_skbs() return value <= 0
Date: Fri, 5 Nov 2021 15:17:15 +0300 [thread overview]
Message-ID: <20211105121715.GB2026@kadam> (raw)
In-Reply-To: <TYCP286MB1188FA6BE2735C22AA9C473E8A8E9@TYCP286MB1188.JPNP286.PROD.OUTLOOK.COM>
On Fri, Nov 05, 2021 at 09:22:12AM +0000, YE Chengfeng wrote:
> Hi,
>
> We notice that skb is already freed by dev_kfree_skb in
> pn533_fill_fragment_skbs, but follow error handler branch #line 2288
> and #line 2356, skb is freed again, seems like a double free issue.
> Would you like to have a look at them?
>
> https://github.com/torvalds/linux/blob/master/drivers/nfc/pn533/pn533.c#L2288
>
The code is buggy, yes, but it's a bit tricky to fix.
pn533_fill_fragment_skbs() never returns error codes, it returns zero
on error. Specifically it clears out the &dev->fragment_skb list and
then returns the length of the list "skb_queue_len(&dev->fragment_skb)"
which is now zero.
Returning success on transmit failure is fine because the network stack
thinks it was lost somewhere in the network and resends it. But
probably it should return -ENOMEM? But changing the return would make
the other caller into a double free now.
So probably the correct fix is to
1) Make pn533_fill_fragment_skbs() return -ENOMEM on error
2) Don't call dev_kfree_skb(skb); on error in pn533_fill_fragment_skbs().
Only call it on the success path.
3) Change the callers to check for negatives instead of <= 0
> We will provide patch for them after confirmation.
Sounds great. You can fix it however you want. My ideas are a
suggestion only.
regards,
dan carpenter
next prev parent reply other threads:[~2021-11-05 12:17 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-05 9:22 nfc: pn533: suspected double free when pn533_fill_fragment_skbs() return value <= 0 YE Chengfeng
2021-11-05 10:10 ` Krzysztof Kozlowski
2021-11-05 12:17 ` Dan Carpenter [this message]
2021-11-05 13:37 ` 回复: " YE Chengfeng
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211105121715.GB2026@kadam \
--to=dan.carpenter@oracle.com \
--cc=cyeaa@connect.ust.hk \
--cc=davem@davemloft.net \
--cc=krzysztof.kozlowski@canonical.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=wengjianfeng@yulong.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).