Re: Re: [PATCH] net/rds: Fix a use after free in rds_message_map_pages

Tue, 30 Mar 2021 19:03:48 -0700 


> -----原始邮件-----
> 发件人: "David Miller" <da...@davemloft.net>
> 发送时间: 2021-03-31 08:02:28 (星期三)
> 收件人: lyl2...@mail.ustc.edu.cn
> 抄送: santosh.shilim...@oracle.com, k...@kernel.org, net...@vger.kernel.org, 
> linux-r...@vger.kernel.org, rds-de...@oss.oracle.com, 
> linux-kernel@vger.kernel.org
> 主题: Re: [PATCH] net/rds: Fix a use after free in rds_message_map_pages
> 
> From: Lv Yunlong <lyl2...@mail.ustc.edu.cn>
> Date: Tue, 30 Mar 2021 03:16:02 -0700
> 
> > @@ -348,7 +348,7 @@ struct rds_message *rds_message_map_pages(unsigned long 
> > *page_addrs, unsigned in
> >     rm->data.op_sg = rds_message_alloc_sgs(rm, num_sgs);
> >     if (IS_ERR(rm->data.op_sg)) {
> >             rds_message_put(rm);
> > -           return ERR_CAST(rm->data.op_sg);
> > +           return ERR_PTR(-ENOMEM);
> >     }
> >  
> >     for (i = 0; i < rm->data.op_nents; ++i) {
> 
> Maybe instead do:
> 
>       int err = ERR_CAST(rm->data.op_sg);
>       rds_message_put(rm);
>       return err;
> 
> Then if rds_message_alloc_sgs() starts to return other errors, they will 
> propagate.
> 
> Thank you.

The type of ERR_CAST() is void *, not int. 
I think the correct patch is:

        void *err = ERR_CAST(rm->data.op_sg);
        rds_message_put(rm);
        return err;

I have submitted the PATCH v2 for you to review.

Thanks.






















					Reply via email to