Re: [PATCH 5.10 191/717] memstick: fix a double-free bug in memstick_check

From: Pavel Machek
Date: Tue Dec 29 2020 - 17:44:11 EST

Next message: Randy Dunlap: "Re: [PATCH -mm] mm: readahead: apply a default readahead size"
Previous message: Nathan Chancellor: "Re: [PATCH] KVM: arm64: Fix section mismatches around hyp_cpu_pm_{init,exit}"
In reply to: Greg Kroah-Hartman: "[PATCH 5.10 191/717] memstick: fix a double-free bug in memstick_check"
Next in thread: Greg Kroah-Hartman: "[PATCH 5.10 199/717] rsi: fix error return code in rsi_reset_card()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi!

> From: Qinglang Miao <miaoqinglang@xxxxxxxxxx>
>
> [ Upstream commit e3e9ced5c93803d5b2ea1942c4bf0192622531d6 ]
>
> kfree(host->card) has been called in put_device so that
> another kfree would raise cause a double-free bug.

> +++ b/drivers/memstick/core/memstick.c
> @@ -468,7 +468,6 @@ static void memstick_check(struct work_struct *work)
> host->card = card;
> if (device_register(&card->dev)) {
> put_device(&card->dev);
> - kfree(host->card);
> host->card = NULL;
> }

Does the host->card = NULL need to be removed, too (and following code
refactored)? put_device() needs that pointer to be able to free it and
it can do so asynchronously.

This will cause crashes; they should be easy to reproduce with
CONFIG_DEBUG_KOBJECT_RELEASE due to delay in kobject_release() AFAICT.

Best regards, Pavel

--
http://www.livejournal.com/~pavelmachek

Attachment: signature.asc
Description: Digital signature

Next message: Randy Dunlap: "Re: [PATCH -mm] mm: readahead: apply a default readahead size"
Previous message: Nathan Chancellor: "Re: [PATCH] KVM: arm64: Fix section mismatches around hyp_cpu_pm_{init,exit}"
In reply to: Greg Kroah-Hartman: "[PATCH 5.10 191/717] memstick: fix a double-free bug in memstick_check"
Next in thread: Greg Kroah-Hartman: "[PATCH 5.10 199/717] rsi: fix error return code in rsi_reset_card()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]