lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <7e2a501f-955a-5bd1-f70d-ad69e7223981@linux.alibaba.com>
Date:   Wed, 20 Nov 2019 21:31:51 +0800
From:   Wen Yang <wenyang@...ux.alibaba.com>
To:     Alexander Shishkin <alexander.shishkin@...ux.intel.com>
Cc:     zhiche.yy@...baba-inc.com, xlpang@...ux.alibaba.com,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] intel_th: avoid double free in error flow


On 2019/11/20 9:06 下午, Alexander Shishkin wrote:
> Wen Yang <wenyang@...ux.alibaba.com> writes:
>
>> There is a possible double free issue in intel_th_subdevice_alloc:
>>
>> 651         err = intel_th_device_add_resources(thdev, res, subdev->nres);
>> 652         if (err) {
>> 653                 put_device(&thdev->dev);
>> 654                 goto fail_put_device;     ---> freed
>> 655         }
>> ...
>> 687 fail_put_device:
>> 688         put_device(&thdev->dev);          ---> double freed
>> 689
>>
>> This patch fix it by removing the unnecessary put_device().
> Unnecessary is a too generous term here.
>
>> Fixes: a753bfcfdb1f ("intel_th: Make the switch allocate its subdevices")
>> Signed-off-by: Wen Yang <wenyang@...ux.alibaba.com>
>> Cc: Alexander Shishkin <alexander.shishkin@...ux.intel.com>
>> Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
>> Cc: linux-kernel@...r.kernel.org
> Cc: stable@ is missing.
>
>> ---
>>   drivers/hwtracing/intel_th/core.c | 4 +---
>>   1 file changed, 1 insertion(+), 3 deletions(-)
>>
>> diff --git a/drivers/hwtracing/intel_th/core.c b/drivers/hwtracing/intel_th/core.c
>> index d5c1821..98d195c 100644
>> --- a/drivers/hwtracing/intel_th/core.c
>> +++ b/drivers/hwtracing/intel_th/core.c
>> @@ -649,10 +649,8 @@ static inline void intel_th_request_hub_module_flush(struct intel_th *th)
>>   	}
>>   
>>   	err = intel_th_device_add_resources(thdev, res, subdev->nres);
>> -	if (err) {
>> -		put_device(&thdev->dev);
>> +	if (err)
>>   		goto fail_put_device;
>> -	}
> What about the second instance of the same problem a few lines lower?
> Thanks,
> --
> Alex

Hi Alex,

Thank you for your comments.

Another example after a few lines lower:

         err = device_add(&thdev->dev);

         if (err) {
                  put_device(&thdev->dev);
                  goto fail_free_res;

          }

device_add() has increased the reference count,

so when it returns an error, an additional call to put_device()

is needed here to reduce the reference count.

So the code in this place is correct.


--

Regards,

Wen

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ