RAS/AMD/FMPM: Fix off by one in error handling

[PATCH] RAS/AMD/FMPM: Fix off by one in error handling

Posted by Dan Carpenter 1 year, 9 months ago

Decrement "i" before the first iteration.  Depending on where this fails
it could free something from one element beyond the end of the
fru_records[] array.

Fixes: 6f15e617cc99 ("RAS: Introduce a FRU memory poison manager")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
---
 drivers/ras/amd/fmpm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/ras/amd/fmpm.c b/drivers/ras/amd/fmpm.c
index 0963c9e7b853..2f4ac9591c8f 100644
--- a/drivers/ras/amd/fmpm.c
+++ b/drivers/ras/amd/fmpm.c
@@ -817,7 +817,7 @@ static int allocate_records(void)
 	return ret;
 
 out_free:
-	for (; i >= 0; i--)
+	while (--i >= 0)
 		kfree(fru_records[i]);
 
 	kfree(fru_records);
-- 
2.43.0

Re: [PATCH] RAS/AMD/FMPM: Fix off by one in error handling

Posted by Borislav Petkov 1 year, 9 months ago

On Wed, Mar 06, 2024 at 08:30:46AM +0300, Dan Carpenter wrote:
> Decrement "i" before the first iteration.  Depending on where this fails
> it could free something from one element beyond the end of the
> fru_records[] array.
> 
> Fixes: 6f15e617cc99 ("RAS: Introduce a FRU memory poison manager")
> Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
> ---
>  drivers/ras/amd/fmpm.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/ras/amd/fmpm.c b/drivers/ras/amd/fmpm.c
> index 0963c9e7b853..2f4ac9591c8f 100644
> --- a/drivers/ras/amd/fmpm.c
> +++ b/drivers/ras/amd/fmpm.c
> @@ -817,7 +817,7 @@ static int allocate_records(void)
>  	return ret;
>  
>  out_free:
> -	for (; i >= 0; i--)
> +	while (--i >= 0)
>  		kfree(fru_records[i]);
>  
>  	kfree(fru_records);
> -- 

Applied, thanks.

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette