lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Wed, 6 May 2020 20:23:18 +0200
From:   Sam Ravnborg <sam@...nborg.org>
To:     Christophe JAILLET <christophe.jaillet@...adoo.fr>
Cc:     rpurdie@...ys.net, adaplas@....net, b.zolnierkie@...sung.com,
        dri-devel@...ts.freedesktop.org, linux-fbdev@...r.kernel.org,
        linux-kernel@...r.kernel.org, kernel-janitors@...r.kernel.org,
        stable@...r.kernel.org
Subject: Re: [PATCH V2] video: fbdev: w100fb: Fix a potential double free.

Hi Christophe
On Wed, May 06, 2020 at 08:19:02PM +0200, Christophe JAILLET wrote:
> Some memory is vmalloc'ed in the 'w100fb_save_vidmem' function and freed in
> the 'w100fb_restore_vidmem' function. (these functions are called
> respectively from the 'suspend' and the 'resume' functions)
> 
> However, it is also freed in the 'remove' function.
> 
> In order to avoid a potential double free, set the corresponding pointer
> to NULL once freed in the 'w100fb_restore_vidmem' function.
> 
> Fixes: aac51f09d96a ("[PATCH] w100fb: Rewrite for platform independence")
> Cc: Richard Purdie <rpurdie@...ys.net>
> Cc: Antonino Daplas <adaplas@....net>
> Cc: Bartlomiej Zolnierkiewicz <b.zolnierkie@...sung.com>
> Cc: <stable@...r.kernel.org> # v2.6.14+
> Signed-off-by: Christophe JAILLET <christophe.jaillet@...adoo.fr>

Thanks for the quick v2.
Applied to drm-misc-next.

	Sam

> ---
> v2: - Add Cc: tags
>     - Reword the commit message to give the names of the functions that
>       allocate and free the memory. These functions are called from the
>       suspend and resume function.
> ---
>  drivers/video/fbdev/w100fb.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/drivers/video/fbdev/w100fb.c b/drivers/video/fbdev/w100fb.c
> index 2d6e2738b792..d96ab28f8ce4 100644
> --- a/drivers/video/fbdev/w100fb.c
> +++ b/drivers/video/fbdev/w100fb.c
> @@ -588,6 +588,7 @@ static void w100fb_restore_vidmem(struct w100fb_par *par)
>  		memsize=par->mach->mem->size;
>  		memcpy_toio(remapped_fbuf + (W100_FB_BASE-MEM_WINDOW_BASE), par->saved_extmem, memsize);
>  		vfree(par->saved_extmem);
> +		par->saved_extmem = NULL;
>  	}
>  	if (par->saved_intmem) {
>  		memsize=MEM_INT_SIZE;
> @@ -596,6 +597,7 @@ static void w100fb_restore_vidmem(struct w100fb_par *par)
>  		else
>  			memcpy_toio(remapped_fbuf + (W100_FB_BASE-MEM_WINDOW_BASE), par->saved_intmem, memsize);
>  		vfree(par->saved_intmem);
> +		par->saved_intmem = NULL;
>  	}
>  }
>  
> -- 
> 2.25.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ