Re: Re: [PATCH] Staging:gasket:core: Fix a double free in gasket_enable_device

lyl2019@xxxxxxxxxxxxxxxx · Tue, 27 Apr 2021 23:02:24 +0800 (GMT+08:00)

> -----原始邮件-----
> 发件人: "Fabio Aiuto" <fabioaiuto83@xxxxxxxxx>
> 发送时间: 2021-04-27 22:26:00 (星期二)
> 收件人: "Lv Yunlong" <lyl2019@xxxxxxxxxxxxxxxx>
> 抄送: rspringer@xxxxxxxxxx, toddpoynor@xxxxxxxxxx, benchan@xxxxxxxxxxxx, rcy@xxxxxxxxxx, gregkh@xxxxxxxxxxxxxxxxxxx, linux-staging@xxxxxxxxxxxxxxx, linux-kernel@xxxxxxxxxxxxxxx
> 主题: Re: [PATCH] Staging:gasket:core: Fix a double free in gasket_enable_device
> 
> Hi Lv,
> 
> I fear gasket is no more on staging tree, I think it's no more on
> kernel. Try fetch again from remote.
> 
> On Tue, Apr 27, 2021 at 07:11:29AM -0700, Lv Yunlong wrote:
> > In gasket_enable_device, it calls gasket_interrupt_init().
> > Inside gasket_interrupt_init, interrupt_data is allocated via
> > kzalloc() and then is assigned to gasket_dev->interrupt_data.
> > If the later two kzalloc() failed, interrupt_data will be freed
> > and gasket_dev->interrupt_data will point to a freed memory.
> > 
> > After gasket_enable_device received the error, the freed
> > gasket_dev->interrupt_data is freed again in
> > gasket_interrupt_cleanup(gasket_dev).
> > 
> > My patch moves the "gasket_dev->interrupt_data = interrupt_data"
> > assignment behind the later kzalloc() all successd, to avoid
> > gasket_dev->interrupt_data pointing to a freed memory
> > 
> > Fixes: 80666096eb78f ("staging: gasket: core: remove static function forward declarations")
> > Signed-off-by: Lv Yunlong <lyl2019@xxxxxxxxxxxxxxxx>
> > ---
> >  drivers/staging/gasket/gasket_interrupt.c | 3 ++-
> >  1 file changed, 2 insertions(+), 1 deletion(-)
> > 
> > diff --git a/drivers/staging/gasket/gasket_interrupt.c b/drivers/staging/gasket/gasket_interrupt.c
> > index 864342acfd86..d4993d7abb87 100644
> > --- a/drivers/staging/gasket/gasket_interrupt.c
> > +++ b/drivers/staging/gasket/gasket_interrupt.c
> > @@ -322,7 +322,6 @@ int gasket_interrupt_init(struct gasket_dev *gasket_dev)
> >  	interrupt_data = kzalloc(sizeof(*interrupt_data), GFP_KERNEL);
> >  	if (!interrupt_data)
> >  		return -ENOMEM;
> > -	gasket_dev->interrupt_data = interrupt_data;
> >  	interrupt_data->name = driver_desc->name;
> >  	interrupt_data->type = driver_desc->interrupt_type;
> >  	interrupt_data->pci_dev = gasket_dev->pci_dev;
> > @@ -349,6 +348,8 @@ int gasket_interrupt_init(struct gasket_dev *gasket_dev)
> >  		return -ENOMEM;
> >  	}
> >  
> > +	gasket_dev->interrupt_data = interrupt_data;
> > +
> >  	switch (interrupt_data->type) {
> >  	case PCI_MSIX:
> >  		ret = gasket_interrupt_msix_init(interrupt_data);
> > -- 
> > 2.25.1
> > 
> > 
> > 
> 
> thank you,
> 
> fabio

Thanks for your reminder.