Hi, Chandana Kishori Chiluveru <cchiluve@xxxxxxxxxxxxxx> writes: > composite_dev_cleanup call from the failure of configfs_composite_bind > frees up the cdev->os_desc_req and cdev->req. If the previous calls of > bind and unbind is successful these will carry stale values. > > Consider the below sequence of function calls: > configfs_composite_bind() > composite_dev_prepare() > - Allocate cdev->req, cdev->req->buf > composite_os_desc_req_prepare() > - Allocate cdev->os_desc_req, cdev->os_desc_req->buf > configfs_composite_unbind() > composite_dev_cleanup() > - free the cdev->os_desc_req->buf and cdev->req->buf > Next composition switch > configfs_composite_bind() > - If it fails goto err_comp_cleanup will call the > composite_dev_cleanup() function > composite_dev_cleanup() > - calls kfree up with the stale values of cdev->req->buf and > cdev->os_desc_req from the previous configfs_composite_bind > call. The free call on these stale values leads to double free. > > Hence, Fix this issue by setting request and buffer pointer to NULL after > kfree. > > Signed-off-by: Chandana Kishori Chiluveru <cchiluve@xxxxxxxxxxxxxx> > > Changes in v2: > - Modified commit text. These two lines... > --- ... should be after this tearline :-) We don't need that in the commit log -- balbi
Attachment:
signature.asc
Description: PGP signature