Patch "ubi: Fix possible null-ptr-deref in ubi_free_volume()" has been added to the 6.2-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    ubi: Fix possible null-ptr-deref in ubi_free_volume()

to the 6.2-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     ubi-fix-possible-null-ptr-deref-in-ubi_free_volume.patch
and it can be found in the queue-6.2 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit c0c3238d9378f9500cf802492f095f547ec4db5e
Author: Yang Yingliang <yangyingliang@xxxxxxxxxx>
Date:   Mon Nov 14 18:26:24 2022 +0800

    ubi: Fix possible null-ptr-deref in ubi_free_volume()
    
    [ Upstream commit c15859bfd326c10230f09cb48a17f8a35f190342 ]
    
    It willl cause null-ptr-deref in the following case:
    
    uif_init()
      ubi_add_volume()
        cdev_add() -> if it fails, call kill_volumes()
        device_register()
    
    kill_volumes() -> if ubi_add_volume() fails call this function
      ubi_free_volume()
        cdev_del()
        device_unregister() -> trying to delete a not added device,
                               it causes null-ptr-deref
    
    So in ubi_free_volume(), it delete devices whether they are added
    or not, it will causes null-ptr-deref.
    
    Handle the error case whlie calling ubi_add_volume() to fix this
    problem. If add volume fails, set the corresponding vol to null,
    so it can not be accessed in kill_volumes() and release the
    resource in ubi_add_volume() error path.
    
    Fixes: 801c135ce73d ("UBI: Unsorted Block Images")
    Suggested-by: Zhihao Cheng <chengzhihao1@xxxxxxxxxx>
    Signed-off-by: Yang Yingliang <yangyingliang@xxxxxxxxxx>
    Reviewed-by: Zhihao Cheng <chengzhihao1@xxxxxxxxxx>
    Signed-off-by: Richard Weinberger <richard@xxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/mtd/ubi/build.c b/drivers/mtd/ubi/build.c
index 2178eb4115b36..7f65af1697519 100644
--- a/drivers/mtd/ubi/build.c
+++ b/drivers/mtd/ubi/build.c
@@ -468,6 +468,7 @@ static int uif_init(struct ubi_device *ubi)
 			err = ubi_add_volume(ubi, ubi->volumes[i]);
 			if (err) {
 				ubi_err(ubi, "cannot add volume %d", i);
+				ubi->volumes[i] = NULL;
 				goto out_volumes;
 			}
 		}
diff --git a/drivers/mtd/ubi/vmt.c b/drivers/mtd/ubi/vmt.c
index 9fbc64b997cef..2c867d16f89f7 100644
--- a/drivers/mtd/ubi/vmt.c
+++ b/drivers/mtd/ubi/vmt.c
@@ -582,6 +582,7 @@ int ubi_add_volume(struct ubi_device *ubi, struct ubi_volume *vol)
 	if (err) {
 		ubi_err(ubi, "cannot add character device for volume %d, error %d",
 			vol_id, err);
+		vol_release(&vol->dev);
 		return err;
 	}
 
@@ -592,15 +593,14 @@ int ubi_add_volume(struct ubi_device *ubi, struct ubi_volume *vol)
 	vol->dev.groups = volume_dev_groups;
 	dev_set_name(&vol->dev, "%s_%d", ubi->ubi_name, vol->vol_id);
 	err = device_register(&vol->dev);
-	if (err)
-		goto out_cdev;
+	if (err) {
+		cdev_del(&vol->cdev);
+		put_device(&vol->dev);
+		return err;
+	}
 
 	self_check_volumes(ubi);
 	return err;
-
-out_cdev:
-	cdev_del(&vol->cdev);
-	return err;
 }
 
 /**



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux