From mboxrd@z Thu Jan 1 00:00:00 1970 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Subject: [4.14,073/137] EDAC, i7core: Fix memleaks and use-after-free on probe and remove From: Greg Kroah-Hartman Message-Id: <20181002132503.701999974@linuxfoundation.org> Date: Tue, 2 Oct 2018 06:24:34 -0700 To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Johan Hovold , Mauro Carvalho Chehab , linux-edac , Borislav Petkov , Sasha Levin List-ID: NC4xNC1zdGFibGUgcmV2aWV3IHBhdGNoLiAgSWYgYW55b25lIGhhcyBhbnkgb2JqZWN0aW9ucywg cGxlYXNlIGxldCBtZSBrbm93LgoKLS0tLS0tLS0tLS0tLS0tLS0tCgpGcm9tOiBKb2hhbiBIb3Zv bGQgPGpvaGFuQGtlcm5lbC5vcmc+CgpbIFVwc3RyZWFtIGNvbW1pdCA2Yzk3NGQ0ZGZhZmU1ZTll ZTc1NGYyYTZmYmEwZWIxODY0ZjE2NDllIF0KCk1ha2Ugc3VyZSB0byBmcmVlIGFuZCBkZXJlZ2lz dGVyIHRoZSBhZGRybWF0Y2ggYW5kIGNoYW5jb3VudHMgZGV2aWNlcwphbGxvY2F0ZWQgZHVyaW5n IHByb2JlIGluIGFsbCBlcnJvciBwYXRocy4gQWxzbyBmaXggdXNlLWFmdGVyLWZyZWUgaW4gYQpw cm9iZSBlcnJvciBwYXRoIGFuZCBpbiB0aGUgcmVtb3ZlIHN1Y2Nlc3MgcGF0aCB3aGVyZSB0aGUg ZGV2aWNlcyB3ZXJlCmJlaW5nIHB1dCBiZWZvcmUgYmVmb3JlIGRlcmVnaXN0cmF0aW9uLgoKU2ln bmVkLW9mZi1ieTogSm9oYW4gSG92b2xkIDxqb2hhbkBrZXJuZWwub3JnPgpDYzogTWF1cm8gQ2Fy dmFsaG8gQ2hlaGFiIDxtY2hlaGFiQGtlcm5lbC5vcmc+CkNjOiBsaW51eC1lZGFjIDxsaW51eC1l ZGFjQHZnZXIua2VybmVsLm9yZz4KRml4ZXM6IDM1NmYwYTMwODYwZCAoImk3Y29yZV9lZGFjOiBj aGFuZ2UgdGhlIG1lbSBhbGxvY2F0aW9uIHNjaGVtZSB0byBtYWtlIERvY3VtZW50YXRpb24va29i amVjdC50eHQgaGFwcHkiKQpMaW5rOiBodHRwOi8vbGttbC5rZXJuZWwub3JnL3IvMjAxODA2MTIx MjQzMzUuNjQyMC0yLWpvaGFuQGtlcm5lbC5vcmcKU2lnbmVkLW9mZi1ieTogQm9yaXNsYXYgUGV0 a292IDxicEBzdXNlLmRlPgpTaWduZWQtb2ZmLWJ5OiBTYXNoYSBMZXZpbiA8YWxleGFuZGVyLmxl dmluQG1pY3Jvc29mdC5jb20+ClNpZ25lZC1vZmYtYnk6IEdyZWcgS3JvYWgtSGFydG1hbiA8Z3Jl Z2toQGxpbnV4Zm91bmRhdGlvbi5vcmc+Ci0tLQogZHJpdmVycy9lZGFjL2k3Y29yZV9lZGFjLmMg fCAgIDIyICsrKysrKysrKysrKysrKy0tLS0tLS0KIDEgZmlsZSBjaGFuZ2VkLCAxNSBpbnNlcnRp b25zKCspLCA3IGRlbGV0aW9ucygtKQoKLS0tIGEvZHJpdmVycy9lZGFjL2k3Y29yZV9lZGFjLmMK KysrIGIvZHJpdmVycy9lZGFjL2k3Y29yZV9lZGFjLmMKQEAgLTExNzcsMTUgKzExNzcsMTQgQEAg c3RhdGljIGludCBpN2NvcmVfY3JlYXRlX3N5c2ZzX2RldmljZXMocwogCiAJcmMgPSBkZXZpY2Vf YWRkKHB2dC0+YWRkcm1hdGNoX2Rldik7CiAJaWYgKHJjIDwgMCkKLQkJcmV0dXJuIHJjOworCQln b3RvIGVycl9wdXRfYWRkcm1hdGNoOwogCiAJaWYgKCFwdnQtPmlzX3JlZ2lzdGVyZWQpIHsKIAkJ cHZ0LT5jaGFuY291bnRzX2RldiA9IGt6YWxsb2Moc2l6ZW9mKCpwdnQtPmNoYW5jb3VudHNfZGV2 KSwKIAkJCQkJICAgICAgR0ZQX0tFUk5FTCk7CiAJCWlmICghcHZ0LT5jaGFuY291bnRzX2Rldikg ewotCQkJcHV0X2RldmljZShwdnQtPmFkZHJtYXRjaF9kZXYpOwotCQkJZGV2aWNlX2RlbChwdnQt PmFkZHJtYXRjaF9kZXYpOwotCQkJcmV0dXJuIC1FTk9NRU07CisJCQlyYyA9IC1FTk9NRU07CisJ CQlnb3RvIGVycl9kZWxfYWRkcm1hdGNoOwogCQl9CiAKIAkJcHZ0LT5jaGFuY291bnRzX2Rldi0+ dHlwZSA9ICZhbGxfY2hhbm5lbF9jb3VudHNfdHlwZTsKQEAgLTExOTksOSArMTE5OCwxOCBAQCBz dGF0aWMgaW50IGk3Y29yZV9jcmVhdGVfc3lzZnNfZGV2aWNlcyhzCiAKIAkJcmMgPSBkZXZpY2Vf YWRkKHB2dC0+Y2hhbmNvdW50c19kZXYpOwogCQlpZiAocmMgPCAwKQotCQkJcmV0dXJuIHJjOwor CQkJZ290byBlcnJfcHV0X2NoYW5jb3VudHM7CiAJfQogCXJldHVybiAwOworCitlcnJfcHV0X2No YW5jb3VudHM6CisJcHV0X2RldmljZShwdnQtPmNoYW5jb3VudHNfZGV2KTsKK2Vycl9kZWxfYWRk cm1hdGNoOgorCWRldmljZV9kZWwocHZ0LT5hZGRybWF0Y2hfZGV2KTsKK2Vycl9wdXRfYWRkcm1h dGNoOgorCXB1dF9kZXZpY2UocHZ0LT5hZGRybWF0Y2hfZGV2KTsKKworCXJldHVybiByYzsKIH0K IAogc3RhdGljIHZvaWQgaTdjb3JlX2RlbGV0ZV9zeXNmc19kZXZpY2VzKHN0cnVjdCBtZW1fY3Rs X2luZm8gKm1jaSkKQEAgLTEyMTEsMTEgKzEyMTksMTEgQEAgc3RhdGljIHZvaWQgaTdjb3JlX2Rl bGV0ZV9zeXNmc19kZXZpY2VzKAogCWVkYWNfZGJnKDEsICJcbiIpOwogCiAJaWYgKCFwdnQtPmlz X3JlZ2lzdGVyZWQpIHsKLQkJcHV0X2RldmljZShwdnQtPmNoYW5jb3VudHNfZGV2KTsKIAkJZGV2 aWNlX2RlbChwdnQtPmNoYW5jb3VudHNfZGV2KTsKKwkJcHV0X2RldmljZShwdnQtPmNoYW5jb3Vu dHNfZGV2KTsKIAl9Ci0JcHV0X2RldmljZShwdnQtPmFkZHJtYXRjaF9kZXYpOwogCWRldmljZV9k ZWwocHZ0LT5hZGRybWF0Y2hfZGV2KTsKKwlwdXRfZGV2aWNlKHB2dC0+YWRkcm1hdGNoX2Rldik7 CiB9CiAKIC8qKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq KioqKioqKioqKioqKioqKioqKioqKioqKioqCg== From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.8 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4782FC43143 for ; Tue, 2 Oct 2018 13:33:36 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 172DC2083F for ; Tue, 2 Oct 2018 13:33:36 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 172DC2083F Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=linuxfoundation.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731864AbeJBUQ4 (ORCPT ); Tue, 2 Oct 2018 16:16:56 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:34936 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731846AbeJBUQ4 (ORCPT ); Tue, 2 Oct 2018 16:16:56 -0400 Received: from localhost (24-104-73-23-ip-static.hfc.comcastbusiness.net [24.104.73.23]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 8101FB2F; Tue, 2 Oct 2018 13:33:32 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Johan Hovold , Mauro Carvalho Chehab , linux-edac , Borislav Petkov , Sasha Levin Subject: [PATCH 4.14 073/137] EDAC, i7core: Fix memleaks and use-after-free on probe and remove Date: Tue, 2 Oct 2018 06:24:34 -0700 Message-Id: <20181002132503.701999974@linuxfoundation.org> X-Mailer: git-send-email 2.19.0 In-Reply-To: <20181002132458.446916963@linuxfoundation.org> References: <20181002132458.446916963@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Johan Hovold [ Upstream commit 6c974d4dfafe5e9ee754f2a6fba0eb1864f1649e ] Make sure to free and deregister the addrmatch and chancounts devices allocated during probe in all error paths. Also fix use-after-free in a probe error path and in the remove success path where the devices were being put before before deregistration. Signed-off-by: Johan Hovold Cc: Mauro Carvalho Chehab Cc: linux-edac Fixes: 356f0a30860d ("i7core_edac: change the mem allocation scheme to make Documentation/kobject.txt happy") Link: http://lkml.kernel.org/r/20180612124335.6420-2-johan@kernel.org Signed-off-by: Borislav Petkov Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/edac/i7core_edac.c | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) --- a/drivers/edac/i7core_edac.c +++ b/drivers/edac/i7core_edac.c @@ -1177,15 +1177,14 @@ static int i7core_create_sysfs_devices(s rc = device_add(pvt->addrmatch_dev); if (rc < 0) - return rc; + goto err_put_addrmatch; if (!pvt->is_registered) { pvt->chancounts_dev = kzalloc(sizeof(*pvt->chancounts_dev), GFP_KERNEL); if (!pvt->chancounts_dev) { - put_device(pvt->addrmatch_dev); - device_del(pvt->addrmatch_dev); - return -ENOMEM; + rc = -ENOMEM; + goto err_del_addrmatch; } pvt->chancounts_dev->type = &all_channel_counts_type; @@ -1199,9 +1198,18 @@ static int i7core_create_sysfs_devices(s rc = device_add(pvt->chancounts_dev); if (rc < 0) - return rc; + goto err_put_chancounts; } return 0; + +err_put_chancounts: + put_device(pvt->chancounts_dev); +err_del_addrmatch: + device_del(pvt->addrmatch_dev); +err_put_addrmatch: + put_device(pvt->addrmatch_dev); + + return rc; } static void i7core_delete_sysfs_devices(struct mem_ctl_info *mci) @@ -1211,11 +1219,11 @@ static void i7core_delete_sysfs_devices( edac_dbg(1, "\n"); if (!pvt->is_registered) { - put_device(pvt->chancounts_dev); device_del(pvt->chancounts_dev); + put_device(pvt->chancounts_dev); } - put_device(pvt->addrmatch_dev); device_del(pvt->addrmatch_dev); + put_device(pvt->addrmatch_dev); } /****************************************************************************