[PATCH] mm: memory_hotplug: fix memory error handling

From: Muchun Song
Date: Mon May 30 2022 - 01:35:33 EST

Next message: Song Liu: "Re: [PATCH bpf-next 1/3] selftests/bpf: Shuffle cookies symbols in kprobe multi test"
Previous message: Song Liu: "Re: [PATCH] tracing/kprobes: Check whether get_kretprobe() returns NULL in kretprobe_dispatcher()"
Next in thread: David Hildenbrand: "Re: [PATCH] mm: memory_hotplug: fix memory error handling"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The device_unregister() is supposed to be used to unregister devices if
device_register() has succeed. And device_unregister() will put device.
The caller should not do it again, otherwise, the first call of
put_device() will drop the last reference count, then the next call
of device_unregister() will UAF on device.

Fixes: 4fb6eabf1037 ("drivers/base/memory.c: cache memory blocks in xarray to accelerate lookup")
Signed-off-by: Muchun Song <songmuchun@xxxxxxxxxxxxx>
Cc: <stable@xxxxxxxxxxxxxxx>
---
drivers/base/memory.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/drivers/base/memory.c b/drivers/base/memory.c
index 7222ff9b5e05..084d67fd55cc 100644
--- a/drivers/base/memory.c
+++ b/drivers/base/memory.c
@@ -636,10 +636,9 @@ static int __add_memory_block(struct memory_block *memory)
}
ret = xa_err(xa_store(&memory_blocks, memory->dev.id, memory,
GFP_KERNEL));
- if (ret) {
- put_device(&memory->dev);
+ if (ret)
device_unregister(&memory->dev);
- }
+
return ret;
}

--
2.11.0

Next message: Song Liu: "Re: [PATCH bpf-next 1/3] selftests/bpf: Shuffle cookies symbols in kprobe multi test"
Previous message: Song Liu: "Re: [PATCH] tracing/kprobes: Check whether get_kretprobe() returns NULL in kretprobe_dispatcher()"
Next in thread: David Hildenbrand: "Re: [PATCH] mm: memory_hotplug: fix memory error handling"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]