Re: Re: [PATCH] net/rds: Fix a use after free in rds_message_map_pages
> -原始邮件-
> 发件人: "David Miller"
> 发送时间: 2021-03-31 08:02:28 (星期三)
> 收件人: lyl2...@mail.ustc.edu.cn
> 抄送: santosh.shilim...@oracle.com, k...@kernel.org, net...@vger.kernel.org,
> linux-r...@vger.kernel.org, rds-de...@oss.oracle.com,
> linux-kernel@vger.kernel.org
> 主题: Re: [PATCH] net/rds: Fix a use after free in rds_message_map_pages
>
> From: Lv Yunlong
> Date: Tue, 30 Mar 2021 03:16:02 -0700
>
> > @@ -348,7 +348,7 @@ struct rds_message *rds_message_map_pages(unsigned long
> > *page_addrs, unsigned in
> > rm->data.op_sg = rds_message_alloc_sgs(rm, num_sgs);
> > if (IS_ERR(rm->data.op_sg)) {
> > rds_message_put(rm);
> > - return ERR_CAST(rm->data.op_sg);
> > + return ERR_PTR(-ENOMEM);
> > }
> >
> > for (i = 0; i < rm->data.op_nents; ++i) {
>
> Maybe instead do:
>
> int err = ERR_CAST(rm->data.op_sg);
> rds_message_put(rm);
> return err;
>
> Then if rds_message_alloc_sgs() starts to return other errors, they will
> propagate.
>
> Thank you.
The type of ERR_CAST() is void *, not int.
I think the correct patch is:
void *err = ERR_CAST(rm->data.op_sg);
rds_message_put(rm);
return err;
I have submitted the PATCH v2 for you to review.
Thanks.
Re: [PATCH] net/rds: Fix a use after free in rds_message_map_pages
From: Lv Yunlong
Date: Tue, 30 Mar 2021 03:16:02 -0700
> @@ -348,7 +348,7 @@ struct rds_message *rds_message_map_pages(unsigned long
> *page_addrs, unsigned in
> rm->data.op_sg = rds_message_alloc_sgs(rm, num_sgs);
> if (IS_ERR(rm->data.op_sg)) {
> rds_message_put(rm);
> - return ERR_CAST(rm->data.op_sg);
> + return ERR_PTR(-ENOMEM);
> }
>
> for (i = 0; i < rm->data.op_nents; ++i) {
Maybe instead do:
int err = ERR_CAST(rm->data.op_sg);
rds_message_put(rm);
return err;
Then if rds_message_alloc_sgs() starts to return other errors, they will
propagate.
Thank you.
Re: [PATCH] net/rds: Fix a use after free in rds_message_map_pages
Just as a reminder,
there has been no reply to this message for more than a week.
Could someone help to fix this issue?
> -原始邮件-
> 发件人: "Lv Yunlong"
> 发送时间: 2021-03-11 16:46:16 (星期四)
> 收件人: santosh.shilim...@oracle.com, da...@davemloft.net, k...@kernel.org
> 抄送: net...@vger.kernel.org, linux-r...@vger.kernel.org,
> rds-de...@oss.oracle.com, linux-kernel@vger.kernel.org, "Lv Yunlong"
>
> 主题: [PATCH] net/rds: Fix a use after free in rds_message_map_pages
>
> In rds_message_map_pages, rds_message_put() will free rm.
> Maybe store the value of rm->data.op_sg ahead of rds_message_put()
> is better. Otherwise other threads could allocate the freed chunk
> and may change the value of rm->data.op_sg.
>
> Signed-off-by: Lv Yunlong
> ---
> net/rds/message.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/net/rds/message.c b/net/rds/message.c
> index 071a261fdaab..392e3a2f41a0 100644
> --- a/net/rds/message.c
> +++ b/net/rds/message.c
> @@ -347,8 +347,9 @@ struct rds_message *rds_message_map_pages(unsigned long
> *page_addrs, unsigned in
> rm->data.op_nents = DIV_ROUND_UP(total_len, PAGE_SIZE);
> rm->data.op_sg = rds_message_alloc_sgs(rm, num_sgs);
> if (IS_ERR(rm->data.op_sg)) {
> + struct scatterlist *tmp = rm->data.op_sg;
> rds_message_put(rm);
> - return ERR_CAST(rm->data.op_sg);
> + return ERR_CAST(tmp);
> }
>
> for (i = 0; i < rm->data.op_nents; ++i) {
> --
> 2.25.1
>
