lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20220620153208.4075636-1-windhl@126.com>
Date:   Mon, 20 Jun 2022 23:32:08 +0800
From:   Liang He <windhl@....com>
To:     davem@...emloft.net
Cc:     windhl@....com, sparclinux@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: [PATCH v2] sbus/char: Fix refcount leak bugs in openprom.c

In opiocgetnext(), we need a of_node_put() to keep refcount balance.

NOTE: we should not change 'dp' as it will used as the arg of
of_node_put().

Signed-off-by: Liang He <windhl@....com>
---
 changelog:

 v2: (1) consider of_find_node_by_path() and of_find_node_by_phandle()
 v1: this is a wrong patch as dp has been updated by its sibling or
child.


 drivers/sbus/char/openprom.c | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/drivers/sbus/char/openprom.c b/drivers/sbus/char/openprom.c
index 30b9751aad30..b5907e0c24e5 100644
--- a/drivers/sbus/char/openprom.c
+++ b/drivers/sbus/char/openprom.c
@@ -494,7 +494,7 @@ static int opiocset(void __user *argp, DATA *data)
 
 static int opiocgetnext(unsigned int cmd, void __user *argp)
 {
-	struct device_node *dp;
+	struct device_node *dp, *tp;
 	phandle nd;
 
 	BUILD_BUG_ON(sizeof(phandle) != sizeof(int));
@@ -506,18 +506,24 @@ static int opiocgetnext(unsigned int cmd, void __user *argp)
 		if (cmd != OPIOCGETNEXT)
 			return -EINVAL;
 		dp = of_find_node_by_path("/");
+		if (dp)
+			nd = dp->phandle;
 	} else {
 		dp = of_find_node_by_phandle(nd);
 		nd = 0;
 		if (dp) {
 			if (cmd == OPIOCGETNEXT)
-				dp = dp->sibling;
+				tp = dp->sibling;
 			else
-				dp = dp->child;
+				tp = dp->child;
 		}
+
+		if (tp)
+			nd = tp->phandle;
 	}
-	if (dp)
-		nd = dp->phandle;
+
+	of_node_put(dp);
+
 	if (copy_to_user(argp, &nd, sizeof(phandle)))
 		return -EFAULT;
 
-- 
2.25.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ