| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20250107011917.642951-1-make24@iscas.ac.cn>
Date: Tue, 7 Jan 2025 09:19:17 +0800
From: Ma Ke <make24@...as.ac.cn>
To: christophe.jaillet@...adoo.fr
Cc: arnd@...db.de,
gregkh@...uxfoundation.org,
kumaravel.thiagarajan@...rochip.com,
linux-gpio@...r.kernel.org,
linux-kernel@...r.kernel.org,
make24@...as.ac.cn,
stable@...r.kernel.org
Subject: Re: [PATCH] misc: microchip: pci1xxxx: Fix possible double free in error handling path
Christophe JAILLET<christophe.jaillet@...adoo.fr> wrote:
> Ma Ke <make24@...as.ac.cn> writes:
> > When auxiliary_device_add() returns error and then calls
> > auxiliary_device_uninit(), the callback function
> > gp_auxiliary_device_release() calls kfree() to free memory. Do not
> > call kfree() again in the error handling path.
> >
> > Fix this by skipping the redundant kfree().
> >
> > Found by code review.
> >
> > Cc: stable@...r.kernel.org
> > Fixes: 393fc2f5948f ("misc: microchip: pci1xxxx: load auxiliary bus driver for the PIO function in the multi-function endpoint of pci1xxxx device.")
> > Signed-off-by: Ma Ke <make24@...as.ac.cn>
> > ---
> > drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_gp.c | 2 ++
> > 1 file changed, 2 insertions(+)
> >
> > diff --git a/drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_gp.c b/drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_gp.c
> > index 32af2b14ff34..fbd712938bdc 100644
> > --- a/drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_gp.c
> > +++ b/drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_gp.c
> > @@ -111,6 +111,7 @@ static int gp_aux_bus_probe(struct pci_dev *pdev, const struct pci_device_id *id
> >
> > err_aux_dev_add_1:
> > auxiliary_device_uninit(&aux_bus->aux_device_wrapper[1]->aux_dev);
> > + goto err_aux_dev_add_0;
> >
> > err_aux_dev_init_1:
> > ida_free(&gp_client_ida, aux_bus->aux_device_wrapper[1]->aux_dev.id);
> > @@ -120,6 +121,7 @@ static int gp_aux_bus_probe(struct pci_dev *pdev, const struct pci_device_id *id
> >
> > err_aux_dev_add_0:
> > auxiliary_device_uninit(&aux_bus->aux_device_wrapper[0]->aux_dev);
> > + goto err_ret;
> >
> > err_aux_dev_init_0:
> > ida_free(&gp_client_ida, aux_bus->aux_device_wrapper[0]->aux_dev.id);
>
> Hi,
>
> This is strange because the nearly same patch is in -next since June
> 2024 ([1])
>
> It is also in Linux since at least 6.10 ([2])
>
> In [1] and [2], there is also a new err_ret label, which is not part of
> your patch.
>
> On which tree are you working?
> Is your patch compile tested?
>
> CJ
Thank you for your response. I discovered the aforementioned bug in
Linux kernel v6.4.16 (the latest v6.4). It appears that the fix was
not completed in the latest version of v6.4. I have also checked the
link you mentioned and saw that the issue has been fixed in v6.10. I
realize that I omitted the final jump patch in the patch v1 submitted,
and I will perfect it in patch v2. Thank you for your suggestion.
--
Regards,
Ma Ke
Powered by blists - more mailing lists