| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 13 May 2021 08:21:41 +0200
From: Christophe JAILLET <christophe.jaillet@...adoo.fr>
To: Andrew Lunn <andrew@...n.ch>
Cc: hkallweit1@...il.com, linux@...linux.org.uk, davem@...emloft.net,
kuba@...nel.org, david.daney@...ium.com, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org, kernel-janitors@...r.kernel.org
Subject: Re: [PATCH] net: mdio: Fix a double free issue in the .remove
function
Le 12/05/2021 à 23:44, Andrew Lunn a écrit :
> On Wed, May 12, 2021 at 11:35:38PM +0200, Christophe JAILLET wrote:
>> 'bus->mii_bus' have been allocated with 'devm_mdiobus_alloc_size()' in the
>> probe function. So it must not be freed explicitly or there will be a
>> double free.
>
> Hi Christophe
>
> [PATCH] net: mdio: Fix a double free issue in the .remove function
>
> Please indicate in the subject which mdio bus driver has a double
> free.
Ok, will do.
But looking at [1], it was not not self-explanatory that it was the rule
here :)
>
> Also, octeon_mdiobus_remove() appears to have the same problem.
In fact, even a little worse. It also calls 'mdiobus_free()' in the
error handling path of the probe (which is why my coccinelle script
didn't spot it. It looks for discrepancy between error handling path in
the probe and the remove function. If both are wrong, it looks safe :) )
I'll send another patch for this driver.
CJ
>
> Andrew
>
[1]:
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/log/drivers/net/mdio
Powered by blists - more mailing lists