Hi, ------- Original Message ------- On Monday, May 30th, 2022 at 19:59, Danny van Heumen <danny@xxxxxxxxxxxxxxxxx> wrote: > Hi all, > > I'd like to follow up with an updated patch. I had another look at the code. I think the > following proposal may correct the control flow to prevent the double-free from happening > in the first place. > > Again, I would appreciate any feedback you might have, as I have little experience in this > area. A stacktrace is present in the commit message, in case you are looking for extra data > that demonstrates the issue. Could someone follow up on this? I have not received any response, so it is not clear to me if the patch is the issue, or whether it is something else. I am running these changes on my Pinebook Pro laptop, so far without issue. Thanks in advance, Danny > [..] > > ------- Original Message ------- > On Tuesday, May 24th, 2022 at 18:51, Danny van Heumen danny@xxxxxxxxxxxxxxxxx wrote: > > > > > Dear all, > > > > I am not a regular C developer nor kernel developer. I don't regularly report issues, so I will probably do things wrong. > > > > I investigated a crash that IIUC occurs with hardened memory allocation enabled and a firmware-crash followed by an early failure during hardware reinitialization/probing. The hardened allocator detects double-free issue. > > > > I have created the patch (see attachment) against linux-5.18. Though, please check carefully, because I have not been able to confirm that it actually works. I am hoping someone familiar with the code-base can either test this easily, or confirm from review/analysis. > > > > The commit message describes it in more detail. In summary: > > 'brcmf_sdio_bus_reset' cleans up and reinitializes the hardware. It frees memory used by (struct brcmf_sdio_dev)->freezer (struct brcmf_sdiod_freezer). However, it then goes to probe the hardware, and an early failure to probe results in the same freeing, both called through function 'brcmf_sdiod_freezer_detach' called inside 'brcmf_sdiod_remove'. Which results in double freeing. > > > > As mentioned before, I was not able to test this and I do not regularly develop in C. I am not confident that this is the proper way to fix it, but it seemed obvious enough. I hope you can support in fixing this bug. > > > > Kind regards, > > Danny > > > > PS: Please let me know if I am doing things wrong. I have included both maintainers and mailing lists from https://docs.kernel.org/process/maintainers.html#broadcom-brcm80211-ieee802-11n-wireless-driver I hope I this is alright.
