-----原始邮件-----
发件人: "David Miller" [off-list ref]
发送时间: 2021-03-31 08:02:28 (星期三)
收件人: lyl2019@mail.ustc.edu.cn
抄送: santosh.shilimkar@oracle.com, kuba@kernel.org, netdev@vger.kernel.org, linux-rdma@vger.kernel.org, rds-devel@oss.oracle.com, linux-kernel@vger.kernel.org
主题: Re: [PATCH] net/rds: Fix a use after free in rds_message_map_pages

From: Lv Yunlong <redacted>
Date: Tue, 30 Mar 2021 03:16:02 -0700

quoted

@@ -348,7 +348,7 @@ struct rds_message *rds_message_map_pages(unsigned long *page_addrs, unsigned in
 	rm->data.op_sg = rds_message_alloc_sgs(rm, num_sgs);
 	if (IS_ERR(rm->data.op_sg)) {
 		rds_message_put(rm);
-		return ERR_CAST(rm->data.op_sg);
+		return ERR_PTR(-ENOMEM);
 	}
 
 	for (i = 0; i < rm->data.op_nents; ++i) {

Maybe instead do:

      int err = ERR_CAST(rm->data.op_sg);
      rds_message_put(rm);
      return err;

Then if rds_message_alloc_sgs() starts to return other errors, they will propagate.

Thank you.

The type of ERR_CAST() is void *, not int. 
I think the correct patch is:

        void *err = ERR_CAST(rm->data.op_sg);
        rds_message_put(rm);
        return err;

I have submitted the PATCH v2 for you to review.

Thanks.