RE: [PATCH 1/2] PCI: hv: don't leak buffer in hv_pci_onchannelcallback()

From: Jake Oshins
Date: Tue May 31 2016 - 14:01:48 EST


> -----Original Message-----
> From: Vitaly Kuznetsov [mailto:vkuznets@xxxxxxxxxx]
> Sent: Monday, May 30, 2016 7:18 AM
> To: linux-pci@xxxxxxxxxxxxxxx
> Cc: linux-kernel@xxxxxxxxxxxxxxx; devel@xxxxxxxxxxxxxxxxxxxxxx; Bjorn
> Helgaas <bhelgaas@xxxxxxxxxx>; Haiyang Zhang
> <haiyangz@xxxxxxxxxxxxx>; KY Srinivasan <kys@xxxxxxxxxxxxx>; Jake
> Oshins <jakeo@xxxxxxxxxxxxx>
> Subject: [PATCH 1/2] PCI: hv: don't leak buffer in hv_pci_onchannelcallback()
>
> We don't free buffer on several code paths in hv_pci_onchannelcallback(),
> put kfree() to the end of the function to fix the issue. Direct { kfree();
> return; } can now be replaced with a simple 'break';
>
> Signed-off-by: Vitaly Kuznetsov <vkuznets@xxxxxxxxxx>
Acked-by: Jake Oshins <jakeo@xxxxxxxxxxxxx>

> ---
> drivers/pci/host/pci-hyperv.c | 11 +++++------
> 1 file changed, 5 insertions(+), 6 deletions(-)
>
> diff --git a/drivers/pci/host/pci-hyperv.c b/drivers/pci/host/pci-hyperv.c
> index 7e9b2de..a68ec49 100644
> --- a/drivers/pci/host/pci-hyperv.c
> +++ b/drivers/pci/host/pci-hyperv.c
> @@ -1661,10 +1661,8 @@ static void hv_pci_onchannelcallback(void
> *context)
> * All incoming packets must be at least as large as a
> * response.
> */
> - if (bytes_recvd <= sizeof(struct pci_response)) {
> - kfree(buffer);
> - return;
> - }
> + if (bytes_recvd <= sizeof(struct pci_response))
> + break;
> desc = (struct vmpacket_descriptor *)buffer;
>
> switch (desc->type) {
> @@ -1679,8 +1677,7 @@ static void hv_pci_onchannelcallback(void
> *context)
> comp_packet->completion_func(comp_packet-
> >compl_ctxt,
> response,
> bytes_recvd);
> - kfree(buffer);
> - return;
> + break;
>
> case VM_PKT_DATA_INBAND:
>
> @@ -1729,6 +1726,8 @@ static void hv_pci_onchannelcallback(void
> *context)
> }
> break;
> }
> +
> + kfree(buffer);
> }
>
> /**
> --
> 2.5.5

This is a good fix. Thanks.

-- Jake Oshins