[Drbd-dev] [bug report] drbd: Backport the "events2" command
Dan Carpenter
dan.carpenter at oracle.com
Mon Mar 6 16:22:51 CET 2017
Hello Andreas Gruenbacher,
The patch a29728463b25: "drbd: Backport the "events2" command" from
Jul 31, 2014, leads to the following static checker warning:
drivers/block/drbd/drbd_nl.c:4934 get_initial_state()
error: dereferencing freed memory 'skb'
drivers/block/drbd/drbd_nl.c
4841 static void notify_initial_state_done(struct sk_buff *skb, unsigned int seq)
4842 {
4843 struct drbd_genlmsghdr *dh;
4844 int err;
4845
4846 err = -EMSGSIZE;
4847 dh = genlmsg_put(skb, 0, seq, &drbd_genl_family, 0, DRBD_INITIAL_STATE_DONE);
4848 if (!dh)
4849 goto nla_put_failure;
4850 dh->minor = -1U;
4851 dh->ret_code = NO_ERROR;
4852 if (nla_put_notification_header(skb, NOTIFY_EXISTS))
4853 goto nla_put_failure;
4854 genlmsg_end(skb, dh);
4855 return;
4856
4857 nla_put_failure:
4858 nlmsg_free(skb);
We free this on error, but it's a void function so it seems like the
callers just assume it succeeded leading to a use after free bug.
(It's also possible that I have misunderstood the refcounting here).
4859 pr_err("Error %d sending event. Event seq:%u\n", err, seq);
4860 }
regards,
dan carpenter
More information about the drbd-dev
mailing list