Hello Ma,
On 24/02/2025 at 21:30:07 +08, Ma Ke <make24@xxxxxxxxxxx> wrote:
> In the mtdswap_init(), if the allocations fail, the error handling
> path frees d->page_buf, d->eb_data, d->revmap and d->page_data without
> setting these pointers to NULL. This could lead to UAF if subsequent
> error handling or device reset operations attempt to release these
> pointers again.
>
> Set d->page_buf, d->eb_data, d->revmap and d->page_data to NULL
> immediately after freeing them to prevent misuse. Release immediately
> and set to NULL, adhering to the 'release implies invalid' defensive
> programming principle.
>
> Found by code review.
>
> Cc: stable@xxxxxxxxxxxxxxx
> Fixes: a32159024620 ("mtd: Add mtdswap block driver")
I am sorry but are you really fixing something? There are thousand of
drivers doing nothing with their freed pointers in the error path,
because they just cannot be used anymore.
Thanks,
Miquèl
