* [bug report] mctp: Add route input to socket tests
@ 2023-03-25 7:38 Dan Carpenter
2023-03-27 2:27 ` Jeremy Kerr
0 siblings, 1 reply; 2+ messages in thread
From: Dan Carpenter @ 2023-03-25 7:38 UTC (permalink / raw)
To: jk; +Cc: kernel-janitors
Hello Jeremy Kerr,
The patch 8892c0490779: "mctp: Add route input to socket tests" from
Oct 3, 2021, leads to the following Smatch static checker warning:
net/mctp/test/route-test.c:357 mctp_test_route_input_sk()
error: dereferencing freed memory 'skb'
net/mctp/test/route-test.c
331 static void mctp_test_route_input_sk(struct kunit *test)
332 {
333 const struct mctp_route_input_sk_test *params;
334 struct sk_buff *skb, *skb2;
335 struct mctp_test_route *rt;
336 struct mctp_test_dev *dev;
337 struct socket *sock;
338 int rc;
339
340 params = test->param_value;
341
342 __mctp_route_test_init(test, &dev, &rt, &sock);
343
344 skb = mctp_test_create_skb_data(¶ms->hdr, ¶ms->type);
345 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, skb);
346
347 skb->dev = dev->ndev;
348 __mctp_cb(skb);
349
350 rc = mctp_route_input(&rt->rt, skb);
^^^
Freed here.
351
352 if (params->deliver) {
353 KUNIT_EXPECT_EQ(test, rc, 0);
354
355 skb2 = skb_recv_datagram(sock->sk, MSG_DONTWAIT, &rc);
356 KUNIT_EXPECT_NOT_ERR_OR_NULL(test, skb2);
--> 357 KUNIT_EXPECT_EQ(test, skb->len, 1);
^^^
Use after free.
358
359 skb_free_datagram(sock->sk, skb2);
360
361 } else {
362 KUNIT_EXPECT_NE(test, rc, 0);
363 skb2 = skb_recv_datagram(sock->sk, MSG_DONTWAIT, &rc);
364 KUNIT_EXPECT_NULL(test, skb2);
365 }
366
367 __mctp_route_test_fini(test, dev, rt, sock);
368 }
regards,
dan carpenter
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [bug report] mctp: Add route input to socket tests
2023-03-25 7:38 [bug report] mctp: Add route input to socket tests Dan Carpenter
@ 2023-03-27 2:27 ` Jeremy Kerr
0 siblings, 0 replies; 2+ messages in thread
From: Jeremy Kerr @ 2023-03-27 2:27 UTC (permalink / raw)
To: Dan Carpenter; +Cc: kernel-janitors
Hi Dan,
> The patch 8892c0490779: "mctp: Add route input to socket tests" from
> Oct 3, 2021, leads to the following Smatch static checker warning:
>
> net/mctp/test/route-test.c:357 mctp_test_route_input_sk()
> error: dereferencing freed memory 'skb'
[...]
> 351
> 352 if (params->deliver) {
> 353 KUNIT_EXPECT_EQ(test, rc, 0);
> 354
> 355 skb2 = skb_recv_datagram(sock->sk, MSG_DONTWAIT, &rc);
> 356 KUNIT_EXPECT_NOT_ERR_OR_NULL(test, skb2);
> --> 357 KUNIT_EXPECT_EQ(test, skb->len, 1);
> ^^^
> Use after free.
Yep, that should be skb2.
Thanks for the report! I'll send a fix soon.
Cheers,
Jeremy
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2023-03-27 2:28 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-03-25 7:38 [bug report] mctp: Add route input to socket tests Dan Carpenter
2023-03-27 2:27 ` Jeremy Kerr
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.