lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <ZPTwTiTr1N0Gz7HY@shine.dominikbrodowski.net>
Date:   Sun, 3 Sep 2023 22:45:02 +0200
From:   Dominik Brodowski <linux@...inikbrodowski.net>
To:     Yang Yingliang <yangyingliang@...wei.com>
Cc:     linux-kernel@...r.kernel.org
Subject: Re: [PATCH 2/2] pcmcia: ds: fix possible name leak in error path in
 pcmcia_device_add()

Am Sat, Nov 12, 2022 at 05:29:24PM +0800 schrieb Yang Yingliang:
> Afer commit 1fa5ae857bb1 ("driver core: get rid of struct device's
> bus_id string array"), the name of device is allocated dynamically,
> it need bee freed.
> 
> As comment of device_register() says, it should use put_device() to
> give up the reference in the error path, some resources is going to
> freed in pcmcia_release_dev(), so don't use error label, just return
> NULL after calling put_device().
> 
> Before device_initialize(), it can not call put_device(), so move the
> dev_set_name() before device_register().
> 
> Fixes: 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array")
> Signed-off-by: Yang Yingliang <yangyingliang@...wei.com>
> ---
>  drivers/pcmcia/ds.c | 14 ++++++++++----
>  1 file changed, 10 insertions(+), 4 deletions(-)
> 
> diff --git a/drivers/pcmcia/ds.c b/drivers/pcmcia/ds.c
> index 7d3258a1f8f8..a249d9a0457b 100644
> --- a/drivers/pcmcia/ds.c
> +++ b/drivers/pcmcia/ds.c
> @@ -513,9 +513,6 @@ static struct pcmcia_device *pcmcia_device_add(struct pcmcia_socket *s,
>  	/* by default don't allow DMA */
>  	p_dev->dma_mask = 0;
>  	p_dev->dev.dma_mask = &p_dev->dma_mask;
> -	dev_set_name(&p_dev->dev, "%d.%d", p_dev->socket->sock, p_dev->device_no);
> -	if (!dev_name(&p_dev->dev))
> -		goto err_free;
>  	p_dev->devname = kasprintf(GFP_KERNEL, "pcmcia%s", dev_name(&p_dev->dev));
>  	if (!p_dev->devname)
>  		goto err_free;
> @@ -573,8 +570,17 @@ static struct pcmcia_device *pcmcia_device_add(struct pcmcia_socket *s,
>  
>  	pcmcia_device_query(p_dev);
>  
> -	if (device_register(&p_dev->dev))
> +	dev_set_name(&p_dev->dev, "%d.%d", p_dev->socket->sock, p_dev->device_no);
> +	if (!dev_name(&p_dev->dev))
>  		goto err_put_ref;
> +	if (device_register(&p_dev->dev)) {

Thanks for your patch! I totally see your point. However, err_put_ref puts
the "wrong" reference (to &p_dev->function_config->ref), which doesn't help
with the issue you detected, as that requires &p_dev->dev to be dropped.
What about the following instead?

From: Yang Yingliang <yangyingliang@...wei.com>
Subject: [PATCH] pcmcia: ds: fix possible name leak in error path in
 pcmcia_device_add()

Afer commit 1fa5ae857bb1 ("driver core: get rid of struct device's
bus_id string array"), the name of device is allocated dynamically.
Therefore, it needs to be freed, which is done by the driver core for
us once all references to the device are gone. Therefore, move the
dev_set_name() call immediately before the call device_register(), which
either succeeds (then the freeing will be done upon subsequent remvoal),
or puts the reference in the error call. Also, it is not unusual that the
return value of dev_set_name is not checked.

Fixes: 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array")
Signed-off-by: Yang Yingliang <yangyingliang@...wei.com>
[linux@...inikbrodowski.net: simplification, commit message modified]
Signed-off-by: Dominik Brodowski <linux@...inikbrodowski.net>

diff --git a/drivers/pcmcia/ds.c b/drivers/pcmcia/ds.c
index c90c68dee1e4..b4b8363d1de2 100644
--- a/drivers/pcmcia/ds.c
+++ b/drivers/pcmcia/ds.c
@@ -513,9 +513,6 @@ static struct pcmcia_device *pcmcia_device_add(struct pcmcia_socket *s,
 	/* by default don't allow DMA */
 	p_dev->dma_mask = 0;
 	p_dev->dev.dma_mask = &p_dev->dma_mask;
-	dev_set_name(&p_dev->dev, "%d.%d", p_dev->socket->sock, p_dev->device_no);
-	if (!dev_name(&p_dev->dev))
-		goto err_free;
 	p_dev->devname = kasprintf(GFP_KERNEL, "pcmcia%s", dev_name(&p_dev->dev));
 	if (!p_dev->devname)
 		goto err_free;
@@ -573,6 +570,7 @@ static struct pcmcia_device *pcmcia_device_add(struct pcmcia_socket *s,
 
 	pcmcia_device_query(p_dev);
 
+	dev_set_name(&p_dev->dev, "%d.%d", p_dev->socket->sock, p_dev->device_no);
 	if (device_register(&p_dev->dev)) {
 		mutex_lock(&s->ops_mutex);
 		list_del(&p_dev->socket_device_list);

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ