diff mbox

bpf: don't kfree an uninitialized im_node

Message ID 20170124141629.9200-1-colin.king@canonical.com
State Not Applicable, archived
Delegated to: David Miller
Headers show

Commit Message

Colin Ian King Jan. 24, 2017, 2:16 p.m. UTC 
From: Colin Ian King <colin.king@canonical.com>

There are some error exit paths to the label 'out' that end up
kfree'ing an uninitialized im_node.  Fix this by inititializing
im_node to NULL to avoid kfree'ing a garbage address.

Issue found by CoverityScan, CID#1398022 ("Uninitialized pointer read")

Signed-off-by: Colin Ian King <colin.king@canonical.com>
---
 kernel/bpf/lpm_trie.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Alexei Starovoitov Jan. 24, 2017, 5:53 p.m. UTC | #1 
On Tue, Jan 24, 2017 at 6:16 AM, Colin King <colin.king@canonical.com> wrote:
> From: Colin Ian King <colin.king@canonical.com>
>
> There are some error exit paths to the label 'out' that end up
> kfree'ing an uninitialized im_node.  Fix this by inititializing
> im_node to NULL to avoid kfree'ing a garbage address.

this fix already landed. See:
commit d140199af510 ("bpf, lpm: fix kfree of im_node in trie_update_elem")

> Issue found by CoverityScan, CID#1398022 ("Uninitialized pointer read")

Nice. Good to know that static analysis can do such checks.
diff mbox

Patch

diff --git a/kernel/bpf/lpm_trie.c b/kernel/bpf/lpm_trie.c
index ba19241d..144e976 100644
--- a/kernel/bpf/lpm_trie.c
+++ b/kernel/bpf/lpm_trie.c
@@ -262,7 +262,7 @@  static int trie_update_elem(struct bpf_map *map,
 			    void *_key, void *value, u64 flags)
 {
 	struct lpm_trie *trie = container_of(map, struct lpm_trie, map);
-	struct lpm_trie_node *node, *im_node, *new_node = NULL;
+	struct lpm_trie_node *node, *im_node = NULL, *new_node = NULL;
 	struct lpm_trie_node __rcu **slot;
 	struct bpf_lpm_trie_key *key = _key;
 	unsigned long irq_flags;