Re: [PATCH v10 3/7] i2c: fsi: Add port structures

From: Benjamin Herrenschmidt
Date: Tue Jun 19 2018 - 23:35:11 EST

Next message: Linus Torvalds: "Re: [RFC][PATCH 0/6] Use printk_safe context for TTY and UART port locks"
Previous message: Al Viro: "Re: [PATCH] __poll_t regressions this cycle"
Next in thread: Joel Stanley: "Re: [PATCH v10 3/7] i2c: fsi: Add port structures"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 2018-06-13 at 14:36 -0500, Eddie James wrote:
> }
>
> +static int fsi_i2c_remove(struct device *dev)
> +{
> + struct fsi_i2c_master *i2c = dev_get_drvdata(dev);
> + struct fsi_i2c_port *port;
> +
> + list_for_each_entry(port, &i2c->ports, list) {
> + i2c_del_adapter(&port->adapter);
> + kfree(port);
> + }
> +
> + return 0;
> +}
> +

This is a use-after-free, the list linkage of the freed port is used to
get to the next one. With memory poisoning, kbooom !

You can fold that in:

Next message: Linus Torvalds: "Re: [RFC][PATCH 0/6] Use printk_safe context for TTY and UART port locks"
Previous message: Al Viro: "Re: [PATCH] __poll_t regressions this cycle"
Next in thread: Joel Stanley: "Re: [PATCH v10 3/7] i2c: fsi: Add port structures"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]