From patchwork Fri Sep 21 08:07:55 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dan Carpenter X-Patchwork-Id: 972907 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=oracle.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=oracle.com header.i=@oracle.com header.b="Urw0h23F"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 42GmSF5qZ2z9s89 for ; Fri, 21 Sep 2018 18:08:13 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389345AbeIUNzx (ORCPT ); Fri, 21 Sep 2018 09:55:53 -0400 Received: from userp2130.oracle.com ([156.151.31.86]:50148 "EHLO userp2130.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725898AbeIUNzx (ORCPT ); Fri, 21 Sep 2018 09:55:53 -0400 Received: from pps.filterd (userp2130.oracle.com [127.0.0.1]) by userp2130.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w8L848hB152987; Fri, 21 Sep 2018 08:08:04 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=date : from : to : cc : subject : message-id : mime-version : content-type; s=corp-2018-07-02; bh=7g9/aKFphY9CzAi/qGLH0NDoyv7swUPaI6zhJGpCYY8=; b=Urw0h23FHaPeRLpmWPb7KW9BtpPLYk8n4mMUefjt8XGDmuyBwGJ/ce7cXD3N5ip6m/6Q 9JXG4rUHMAcS6EzGuR8xBwD3u3B6rKb6tILsqotldFJTdWKkop9nRwB1sPm6KNUignS+ HPRpSTPnydAOCbtvBN+Bdr7Ti0oqKVM8UcF98hwR5XWkMrF4TAf9mmQvXexpeV0SB0os Yif6N3ONnqqFzLR+osWjUNVWcE7RS4nDiFMfe8+kjo6VoKp0B2h4z3YEViClSFhDJB+E juRxG8NG2U3MX/Y6ofZ7tJuuEPOu7l2VRd1SSWIFYNq5JKnAgynxWwC/TK7bmsfsgw14 iw== Received: from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74]) by userp2130.oracle.com with ESMTP id 2mmkm21n6x-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 21 Sep 2018 08:08:03 +0000 Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by userv0022.oracle.com (8.14.4/8.14.4) with ESMTP id w8L883Dw006358 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 21 Sep 2018 08:08:03 GMT Received: from abhmp0001.oracle.com (abhmp0001.oracle.com [141.146.116.7]) by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id w8L882GI025422; Fri, 21 Sep 2018 08:08:02 GMT Received: from mwanda (/197.232.248.111) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Fri, 21 Sep 2018 01:08:02 -0700 Date: Fri, 21 Sep 2018 11:07:55 +0300 From: Dan Carpenter To: Jiri Pirko Cc: "David S. Miller" , netdev@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: [PATCH net] devlink: double free in devlink_resource_fill() Message-ID: <20180921080755.GA16307@mwanda> MIME-Version: 1.0 Content-Disposition: inline X-Mailer: git-send-email haha only kidding User-Agent: Mutt/1.10.1 (2018-07-13) X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9022 signatures=668707 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=2 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=952 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1807170000 definitions=main-1809210085 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Smatch reports that devlink_dpipe_send_and_alloc_skb() frees the skb on error so this is a double free. We fixed a bunch of these bugs in commit 7fe4d6dcbcb4 ("devlink: Remove redundant free on error path") but we accidentally overlooked this one. Fixes: d9f9b9a4d05f ("devlink: Add support for resource abstraction") Signed-off-by: Dan Carpenter Acked-by: Jiri Pirko diff --git a/net/core/devlink.c b/net/core/devlink.c index 65fc366a78a4..8c0ed225e280 100644 --- a/net/core/devlink.c +++ b/net/core/devlink.c @@ -2592,7 +2592,7 @@ static int devlink_resource_fill(struct genl_info *info, if (!nlh) { err = devlink_dpipe_send_and_alloc_skb(&skb, info); if (err) - goto err_skb_send_alloc; + return err; goto send_done; } return genlmsg_reply(skb, info); @@ -2600,7 +2600,6 @@ static int devlink_resource_fill(struct genl_info *info, nla_put_failure: err = -EMSGSIZE; err_resource_put: -err_skb_send_alloc: nlmsg_free(skb); return err; }