From: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
To: philipp.reisner@linbit.com, lars.ellenberg@linbit.com, axboe@kernel.dk
Cc: drbd-dev@lists.linbit.com, linux-block@vger.kernel.org,
linux-kernel@vger.kernel.org,
Lv Yunlong <lyl2019@mail.ustc.edu.cn>
Subject: [PATCH v2] drbd: Fix a use after free in get_initial_state
Date: Fri, 2 Apr 2021 00:07:13 -0700 [thread overview]
Message-ID: <20210402070713.4069-1-lyl2019@mail.ustc.edu.cn> (raw)
In get_initial_state, it calls notify_initial_state_done(skb,..) if
cb->args[5]==1. I see that if genlmsg_put() failed in
notify_initial_state_done(), the skb will be freed by nlmsg_free(skb).
Then get_initial_state will goto out and the freed skb will be used by
return value skb->len.
My patch converts the type of notify_initial_state_done() from void to
int. So when errors occurs in notify_initial_state_done(), it can
return an error code. My patch also use err propagate the error and avoid
use the freed skb.
Fixes: a29728463b254 ("drbd: Backport the "events2" command")
Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
---
drivers/block/drbd/drbd_nl.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/drivers/block/drbd/drbd_nl.c b/drivers/block/drbd/drbd_nl.c
index bf7de4c7b96c..21035ff460da 100644
--- a/drivers/block/drbd/drbd_nl.c
+++ b/drivers/block/drbd/drbd_nl.c
@@ -4861,7 +4861,7 @@ void notify_helper(enum drbd_notification_type type,
err, seq);
}
-static void notify_initial_state_done(struct sk_buff *skb, unsigned int seq)
+static int notify_initial_state_done(struct sk_buff *skb, unsigned int seq)
{
struct drbd_genlmsghdr *dh;
int err;
@@ -4875,11 +4875,12 @@ static void notify_initial_state_done(struct sk_buff *skb, unsigned int seq)
if (nla_put_notification_header(skb, NOTIFY_EXISTS))
goto nla_put_failure;
genlmsg_end(skb, dh);
- return;
+ return 0;
nla_put_failure:
nlmsg_free(skb);
pr_err("Error %d sending event. Event seq:%u\n", err, seq);
+ return err;
}
static void free_state_changes(struct list_head *list)
@@ -4905,6 +4906,7 @@ static int get_initial_state(struct sk_buff *skb, struct netlink_callback *cb)
struct drbd_state_change *state_change = (struct drbd_state_change *)cb->args[0];
unsigned int seq = cb->args[2];
unsigned int n;
+ int err;
enum drbd_notification_type flags = 0;
/* There is no need for taking notification_mutex here: it doesn't
@@ -4914,7 +4916,9 @@ static int get_initial_state(struct sk_buff *skb, struct netlink_callback *cb)
cb->args[5]--;
if (cb->args[5] == 1) {
- notify_initial_state_done(skb, seq);
+ err = notify_initial_state_done(skb, seq);
+ if (err)
+ return err;
goto out;
}
n = cb->args[4]++;
--
2.25.1
reply other threads:[~2021-04-02 7:07 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210402070713.4069-1-lyl2019@mail.ustc.edu.cn \
--to=lyl2019@mail.ustc.edu.cn \
--cc=axboe@kernel.dk \
--cc=drbd-dev@lists.linbit.com \
--cc=lars.ellenberg@linbit.com \
--cc=linux-block@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=philipp.reisner@linbit.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.