lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <9b3d1ab0-1313-4f87-9b98-15dd78ca24a8@stanley.mountain>
Date: Thu, 27 Feb 2025 08:55:16 +0300
From: Dan Carpenter <dan.carpenter@...aro.org>
To: Haoxiang Li <haoxiang_li2024@....com>
Cc: mporter@...nel.crashing.org, alex.bou9@...il.com, error27@...il.com,
	akpm@...ux-foundation.org, linux-kernel@...r.kernel.org,
	stable@...r.kernel.org
Subject: Re: [PATCH] rapidio: fix an API misues when rio_add_net() fails

On Thu, Feb 27, 2025 at 11:58:59AM +0800, Haoxiang Li wrote:
> rio_add_net() calls device_register() and fails when device_register()
> fails. Thus, put_device() should be used rather than kfree().
> 
> Fixes: e8de370188d0 ("rapidio: add mport char device driver")
> Cc: stable@...r.kernel.org
> Signed-off-by: Haoxiang Li <haoxiang_li2024@....com>
> ---
>  drivers/rapidio/devices/rio_mport_cdev.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/rapidio/devices/rio_mport_cdev.c b/drivers/rapidio/devices/rio_mport_cdev.c
> index 27afbb9d544b..cfff1c82fb25 100644
> --- a/drivers/rapidio/devices/rio_mport_cdev.c
> +++ b/drivers/rapidio/devices/rio_mport_cdev.c
> @@ -1742,7 +1742,7 @@ static int rio_mport_add_riodev(struct mport_cdev_priv *priv,
>  		err = rio_add_net(net);
>  		if (err) {
>  			rmcd_debug(RDEV, "failed to register net, err=%d", err);
> -			kfree(net);
> +			put_device(&net->dev);

Yeah, you're right.  But the worse bug is that we're missing an
"mport->net = NULL;" before this goto.  It leads to a quite bad
use after free issue if we trigger this path.

Please fix that as well and resend.

regards,
dan carpenter

>  			goto cleanup;
>  		}
>  	}
> -- 
> 2.25.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ