Re: [PATCH] nilfs2: fix potential use after free

On Mon, Dec 03, 2018 at 06:10:51PM +0900, Ryusuke Konishi wrote: > Hi, Pan Bian > > Thank you for feeding back this patch. > I reviewed this and am thinking this must be sent to upstream. > > Did you see any kernel oops on this bug ? Not yet. In fact, I found it with a static method. Best regar

Re: [PATCH] crypto: do not free algorithm before using

On Thu, Nov 29, 2018 at 02:57:11PM +0800, Herbert Xu wrote: > On Thu, Nov 22, 2018 at 06:00:16PM +0800, Pan Bian wrote: > > In multiple functions, the algorithm fields are read after its reference > > is dropped through crypto_mod_put. In this case, the algorithm memory > > may be freed, resulting

Re: [PATCH V2] namei: free new_dentry late

On Tue, Nov 27, 2018 at 10:25:51AM +0100, Jan Kara wrote: > On Sun 25-11-18 08:15:23, Pan Bian wrote: > > After calling dput(new_dentry), new_dentry is passed to fsnotify_move. > > This may result in a use-after-free bug. This patch moves the put > > operation late. > > > > Fixes: da1ce0670c14("vf

Re: [PATCH] libceph: fix use after free

On Tue, Nov 27, 2018 at 11:47:56AM +0300, Sergei Shtylyov wrote: > Hello! > > On 27.11.2018 10:02, Pan Bian wrote: > > >The function ceph_monc_handle_map calls kfree(old) to free the old > >monitor map, old points to monc->monmap. However, after that, it reads > >monc->monmap->epoch and passes it

Re: [PATCH] xfs: libxfs: move xfs_perag_put late

On Mon, Nov 26, 2018 at 09:17:50AM -0500, Brian Foster wrote: > On Mon, Nov 26, 2018 at 06:36:19PM +0800, PanBian wrote: > > On Mon, Nov 26, 2018 at 10:31:39AM +0100, Carlos Maiolino wrote: > > > On Sat, Nov 24, 2018 at 05:44:20PM +0800, Pan Bian wrote: > > > > The f

Re: [PATCH] xfs: libxfs: move xfs_perag_put late

On Mon, Nov 26, 2018 at 10:31:39AM +0100, Carlos Maiolino wrote: > On Sat, Nov 24, 2018 at 05:44:20PM +0800, Pan Bian wrote: > > The function xfs_alloc_get_freelist calls xfs_perag_put to drop the > > reference. In this case, pag may be released. However, > > pag->pagf_btreeblks is read and write a

Re: [PATCH] hfs: do not free node before using

On Fri, Nov 23, 2018 at 04:51:49PM -0800, Viacheslav Dubeyko wrote: > On Fri, 2018-11-23 at 17:04 +0800, Pan Bian wrote: > > The function hfs_bmap_free frees node via hfs_bnode_put(node). > > However, > > it then reads node->this when dumping error message on an error path, > > which may result in

Re: [PATCH] exportfs: do not read dentry after free

On Fri, Nov 23, 2018 at 07:58:15AM +0200, Amir Goldstein wrote: > On Fri, Nov 23, 2018 at 5:16 AM Pan Bian wrote: > > > > The function dentry_connected calls dput(dentry) to drop the previously > > acquired reference to dentry. In this case, dentry can be released. > > After that, IS_ROOT(dentry)

Re: scsi: hisi_sas: replace kfree with scsi_host_put

On Tue, Aug 08, 2017 at 03:56:22PM +0100, John Garry wrote: > On 08/08/2017 12:37, Pan Bian wrote: > >Return value of scsi_host_alloc() should be released with > >scsi_host_put() rather than kfree(). > > > >Signed-off-by: Pan Bian > > We also have a kfree(shost) in newly added pci-based v3 driver

Re: [PATCH 1/1] tipc: check return value of nlmsg_new

On Sun, Apr 23, 2017 at 12:17:16AM -0700, Joe Perches wrote: > On Sun, 2017-04-23 at 15:09 +0800, Pan Bian wrote: > > Function nlmsg_new() will return a NULL pointer if there is no enough > > memory, and its return value should be checked before it is used. > > However, in function tipc_nl_node_get