lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <Y6WGMd5hb2LoDyNL@kadam>
Date:   Fri, 23 Dec 2022 13:42:57 +0300
From:   Dan Carpenter <error27@...il.com>
To:     Logan Gunthorpe <logang@...tatee.com>
Cc:     Miaoqian Lin <linmq006@...il.com>, Vinod Koul <vkoul@...nel.org>,
        dmaengine@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] dmaengine: plx_dma: Fix potential double free in
 plx_dma_create

On Tue, Dec 20, 2022 at 09:35:38AM -0700, Logan Gunthorpe wrote:
> 
> 
> On 2022-12-19 23:17, Miaoqian Lin wrote:
> > When all references are dropped, callback function plx_dma_release()
> > for put_device() will call kfree(plxdev) to release memory.
> > Fix the error path to fix the possible double free.
> >
> > Fixes: 07503e6aefe4 ("dmaengine: plx_dma: add a missing put_device() on error path")
> > Signed-off-by: Miaoqian Lin <linmq006@...il.com>
> > ---
> > Please correct me if I make mistakes, thanks for your review.
> > ---
> >  drivers/dma/plx_dma.c | 3 ++-
> >  1 file changed, 2 insertions(+), 1 deletion(-)
> > 
> > diff --git a/drivers/dma/plx_dma.c b/drivers/dma/plx_dma.c
> > index 12725fa1655f..bce724ff4e16 100644
> > --- a/drivers/dma/plx_dma.c
> > +++ b/drivers/dma/plx_dma.c
> > @@ -546,8 +546,9 @@ static int plx_dma_create(struct pci_dev *pdev)
> >  	return 0;
> >  
> >  put_device:
> > -	put_device(&pdev->dev);
> >  	free_irq(pci_irq_vector(pdev, 0),  plxdev);
> > +	put_device(&pdev->dev);
> > +	return rc;
> >  free_plx:
> >  	kfree(plxdev);
> >  
> 
> 
> Sorry, after reviewing, I don't think this patch is correct.
> 
> plx_dma_release() is called from dma_async_device_unregister() which
> won't be called if dma_async_device_register() fails. It does not get
> freed when the pci device is put. So I don't think this is a possible
> double free.

I think instead of "double free" it Miaoqian meant "use after free".  It
does look like a use after free to me.  Certainly there is no harm from
applying the patch and it makes the code more obviously correct.

regards,
dan carpenter

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ