Re: [PATCH 5.10 191/717] memstick: fix a double-free bug in memstick_check

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi!

> From: Qinglang Miao <miaoqinglang@xxxxxxxxxx>
> 
> [ Upstream commit e3e9ced5c93803d5b2ea1942c4bf0192622531d6 ]
> 
> kfree(host->card) has been called in put_device so that
> another kfree would raise cause a double-free bug.

> +++ b/drivers/memstick/core/memstick.c
> @@ -468,7 +468,6 @@ static void memstick_check(struct work_struct *work)
>  			host->card = card;
>  			if (device_register(&card->dev)) {
>  				put_device(&card->dev);
> -				kfree(host->card);
>  				host->card = NULL;
>  			}

Does the host->card = NULL need to be removed, too (and following code
refactored)? put_device() needs that pointer to be able to free it and
it can do so asynchronously.

This will cause crashes; they should be easy to reproduce with
CONFIG_DEBUG_KOBJECT_RELEASE due to delay in kobject_release() AFAICT.

Best regards,								Pavel

-- 
http://www.livejournal.com/~pavelmachek

Attachment: signature.asc
Description: Digital signature


[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux