lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <sgvpvlvyjl2sd4ehwujuetrtzl5jvvwkk7yxmjourgduylqf2w@g3qosecznvic>
Date: Tue, 25 Nov 2025 20:46:51 +0530
From: Abdun Nihaal <abdun.nihaal@...il.com>
To: Navaneeth K <knavaneeth786@...il.com>
Cc: parthiban.veerasooran@...rochip.com, christian.gromm@...rochip.com, 
	gregkh@...uxfoundation.org, linux-staging@...ts.linux.dev, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] staging: most: dim2: fix missing cleanup on interface
 registration failure


nack.

On Sat, Nov 22, 2025 at 06:56:56PM +0000, Navaneeth K wrote:
> If most_register_interface() fails, the function returned immediately
> without freeing the allocated 'dev' structure or resetting the hardware
> state via dim_shutdown().

Based on the commit message of the following commit,
most_register_interface() is expected to free the passed interface using
device release both on success and error.
commit baadf2a5c26e ("most: usb: fix double free on late probe failure")
https://lore.kernel.org/all/20251029093029.28922-1-johan@kernel.org/

>  	dev->dev.release = dim2_release;
>  
> -	return most_register_interface(&dev->most_iface);
> +	ret = most_register_interface(&dev->most_iface);
> +	if (ret)
> +		goto err_shutdown_dim;
> +
> +	return 0;

Commit d445aa402d60 ("staging: most: dim2: use device release method")
converted this code to use device release, where the function stored in
dev.release (dim2_release() here) will be called to free the device
when put_device() or device_unregister() is called on the device.

dim2_release() does free and shut down the hardware correctly, so doing
it again in the error path would lead to a double free.

However, I do see that in most_register_interface() function, the first
few error paths (before the device_register() call) are not calling
put_device() to free the interface device, which is inconsistent with
the later error paths in that function.

Leave this code as it is, and fix the most_register_interface()
to consistently release the device on error, by calling put_device()
on those early error paths.

Also, when sending bug fixes, add a Fixes tag.

Regards,
Nihaal

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ