From mboxrd@z Thu Jan 1 00:00:00 1970 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Subject: [4.9,48/94] EDAC, i7core: Fix memleaks and use-after-free on probe and remove From: Greg Kroah-Hartman Message-Id: <20181002132503.813245029@linuxfoundation.org> Date: Tue, 2 Oct 2018 06:25:02 -0700 To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Johan Hovold , Mauro Carvalho Chehab , linux-edac , Borislav Petkov , Sasha Levin List-ID: NC45LXN0YWJsZSByZXZpZXcgcGF0Y2guICBJZiBhbnlvbmUgaGFzIGFueSBvYmplY3Rpb25zLCBw bGVhc2UgbGV0IG1lIGtub3cuCgotLS0tLS0tLS0tLS0tLS0tLS0KCkZyb206IEpvaGFuIEhvdm9s ZCA8am9oYW5Aa2VybmVsLm9yZz4KClsgVXBzdHJlYW0gY29tbWl0IDZjOTc0ZDRkZmFmZTVlOWVl NzU0ZjJhNmZiYTBlYjE4NjRmMTY0OWUgXQoKTWFrZSBzdXJlIHRvIGZyZWUgYW5kIGRlcmVnaXN0 ZXIgdGhlIGFkZHJtYXRjaCBhbmQgY2hhbmNvdW50cyBkZXZpY2VzCmFsbG9jYXRlZCBkdXJpbmcg cHJvYmUgaW4gYWxsIGVycm9yIHBhdGhzLiBBbHNvIGZpeCB1c2UtYWZ0ZXItZnJlZSBpbiBhCnBy b2JlIGVycm9yIHBhdGggYW5kIGluIHRoZSByZW1vdmUgc3VjY2VzcyBwYXRoIHdoZXJlIHRoZSBk ZXZpY2VzIHdlcmUKYmVpbmcgcHV0IGJlZm9yZSBiZWZvcmUgZGVyZWdpc3RyYXRpb24uCgpTaWdu ZWQtb2ZmLWJ5OiBKb2hhbiBIb3ZvbGQgPGpvaGFuQGtlcm5lbC5vcmc+CkNjOiBNYXVybyBDYXJ2 YWxobyBDaGVoYWIgPG1jaGVoYWJAa2VybmVsLm9yZz4KQ2M6IGxpbnV4LWVkYWMgPGxpbnV4LWVk YWNAdmdlci5rZXJuZWwub3JnPgpGaXhlczogMzU2ZjBhMzA4NjBkICgiaTdjb3JlX2VkYWM6IGNo YW5nZSB0aGUgbWVtIGFsbG9jYXRpb24gc2NoZW1lIHRvIG1ha2UgRG9jdW1lbnRhdGlvbi9rb2Jq ZWN0LnR4dCBoYXBweSIpCkxpbms6IGh0dHA6Ly9sa21sLmtlcm5lbC5vcmcvci8yMDE4MDYxMjEy NDMzNS42NDIwLTItam9oYW5Aa2VybmVsLm9yZwpTaWduZWQtb2ZmLWJ5OiBCb3Jpc2xhdiBQZXRr b3YgPGJwQHN1c2UuZGU+ClNpZ25lZC1vZmYtYnk6IFNhc2hhIExldmluIDxhbGV4YW5kZXIubGV2 aW5AbWljcm9zb2Z0LmNvbT4KU2lnbmVkLW9mZi1ieTogR3JlZyBLcm9haC1IYXJ0bWFuIDxncmVn a2hAbGludXhmb3VuZGF0aW9uLm9yZz4KLS0tCiBkcml2ZXJzL2VkYWMvaTdjb3JlX2VkYWMuYyB8 ICAgMjIgKysrKysrKysrKysrKysrLS0tLS0tLQogMSBmaWxlIGNoYW5nZWQsIDE1IGluc2VydGlv bnMoKyksIDcgZGVsZXRpb25zKC0pCgotLS0gYS9kcml2ZXJzL2VkYWMvaTdjb3JlX2VkYWMuYwor KysgYi9kcml2ZXJzL2VkYWMvaTdjb3JlX2VkYWMuYwpAQCAtMTE3NywxNSArMTE3NywxNCBAQCBz dGF0aWMgaW50IGk3Y29yZV9jcmVhdGVfc3lzZnNfZGV2aWNlcyhzCiAKIAlyYyA9IGRldmljZV9h ZGQocHZ0LT5hZGRybWF0Y2hfZGV2KTsKIAlpZiAocmMgPCAwKQotCQlyZXR1cm4gcmM7CisJCWdv dG8gZXJyX3B1dF9hZGRybWF0Y2g7CiAKIAlpZiAoIXB2dC0+aXNfcmVnaXN0ZXJlZCkgewogCQlw dnQtPmNoYW5jb3VudHNfZGV2ID0ga3phbGxvYyhzaXplb2YoKnB2dC0+Y2hhbmNvdW50c19kZXYp LAogCQkJCQkgICAgICBHRlBfS0VSTkVMKTsKIAkJaWYgKCFwdnQtPmNoYW5jb3VudHNfZGV2KSB7 Ci0JCQlwdXRfZGV2aWNlKHB2dC0+YWRkcm1hdGNoX2Rldik7Ci0JCQlkZXZpY2VfZGVsKHB2dC0+ YWRkcm1hdGNoX2Rldik7Ci0JCQlyZXR1cm4gLUVOT01FTTsKKwkJCXJjID0gLUVOT01FTTsKKwkJ CWdvdG8gZXJyX2RlbF9hZGRybWF0Y2g7CiAJCX0KIAogCQlwdnQtPmNoYW5jb3VudHNfZGV2LT50 eXBlID0gJmFsbF9jaGFubmVsX2NvdW50c190eXBlOwpAQCAtMTE5OSw5ICsxMTk4LDE4IEBAIHN0 YXRpYyBpbnQgaTdjb3JlX2NyZWF0ZV9zeXNmc19kZXZpY2VzKHMKIAogCQlyYyA9IGRldmljZV9h ZGQocHZ0LT5jaGFuY291bnRzX2Rldik7CiAJCWlmIChyYyA8IDApCi0JCQlyZXR1cm4gcmM7CisJ CQlnb3RvIGVycl9wdXRfY2hhbmNvdW50czsKIAl9CiAJcmV0dXJuIDA7CisKK2Vycl9wdXRfY2hh bmNvdW50czoKKwlwdXRfZGV2aWNlKHB2dC0+Y2hhbmNvdW50c19kZXYpOworZXJyX2RlbF9hZGRy bWF0Y2g6CisJZGV2aWNlX2RlbChwdnQtPmFkZHJtYXRjaF9kZXYpOworZXJyX3B1dF9hZGRybWF0 Y2g6CisJcHV0X2RldmljZShwdnQtPmFkZHJtYXRjaF9kZXYpOworCisJcmV0dXJuIHJjOwogfQog CiBzdGF0aWMgdm9pZCBpN2NvcmVfZGVsZXRlX3N5c2ZzX2RldmljZXMoc3RydWN0IG1lbV9jdGxf aW5mbyAqbWNpKQpAQCAtMTIxMSwxMSArMTIxOSwxMSBAQCBzdGF0aWMgdm9pZCBpN2NvcmVfZGVs ZXRlX3N5c2ZzX2RldmljZXMoCiAJZWRhY19kYmcoMSwgIlxuIik7CiAKIAlpZiAoIXB2dC0+aXNf cmVnaXN0ZXJlZCkgewotCQlwdXRfZGV2aWNlKHB2dC0+Y2hhbmNvdW50c19kZXYpOwogCQlkZXZp Y2VfZGVsKHB2dC0+Y2hhbmNvdW50c19kZXYpOworCQlwdXRfZGV2aWNlKHB2dC0+Y2hhbmNvdW50 c19kZXYpOwogCX0KLQlwdXRfZGV2aWNlKHB2dC0+YWRkcm1hdGNoX2Rldik7CiAJZGV2aWNlX2Rl bChwdnQtPmFkZHJtYXRjaF9kZXYpOworCXB1dF9kZXZpY2UocHZ0LT5hZGRybWF0Y2hfZGV2KTsK IH0KIAogLyoqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq KioqKioqKioqKioqKioqKioqKioqKioqKioK From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.8 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 50780C004D2 for ; Tue, 2 Oct 2018 13:41:44 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 21A072064D for ; Tue, 2 Oct 2018 13:41:44 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 21A072064D Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=linuxfoundation.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1733090AbeJBUTo (ORCPT ); Tue, 2 Oct 2018 16:19:44 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:36180 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731717AbeJBUTn (ORCPT ); Tue, 2 Oct 2018 16:19:43 -0400 Received: from localhost (24-104-73-23-ip-static.hfc.comcastbusiness.net [24.104.73.23]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id F2E8DB4B; Tue, 2 Oct 2018 13:36:18 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Johan Hovold , Mauro Carvalho Chehab , linux-edac , Borislav Petkov , Sasha Levin Subject: [PATCH 4.9 48/94] EDAC, i7core: Fix memleaks and use-after-free on probe and remove Date: Tue, 2 Oct 2018 06:25:02 -0700 Message-Id: <20181002132503.813245029@linuxfoundation.org> X-Mailer: git-send-email 2.19.0 In-Reply-To: <20181002132500.494838053@linuxfoundation.org> References: <20181002132500.494838053@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Johan Hovold [ Upstream commit 6c974d4dfafe5e9ee754f2a6fba0eb1864f1649e ] Make sure to free and deregister the addrmatch and chancounts devices allocated during probe in all error paths. Also fix use-after-free in a probe error path and in the remove success path where the devices were being put before before deregistration. Signed-off-by: Johan Hovold Cc: Mauro Carvalho Chehab Cc: linux-edac Fixes: 356f0a30860d ("i7core_edac: change the mem allocation scheme to make Documentation/kobject.txt happy") Link: http://lkml.kernel.org/r/20180612124335.6420-2-johan@kernel.org Signed-off-by: Borislav Petkov Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/edac/i7core_edac.c | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) --- a/drivers/edac/i7core_edac.c +++ b/drivers/edac/i7core_edac.c @@ -1177,15 +1177,14 @@ static int i7core_create_sysfs_devices(s rc = device_add(pvt->addrmatch_dev); if (rc < 0) - return rc; + goto err_put_addrmatch; if (!pvt->is_registered) { pvt->chancounts_dev = kzalloc(sizeof(*pvt->chancounts_dev), GFP_KERNEL); if (!pvt->chancounts_dev) { - put_device(pvt->addrmatch_dev); - device_del(pvt->addrmatch_dev); - return -ENOMEM; + rc = -ENOMEM; + goto err_del_addrmatch; } pvt->chancounts_dev->type = &all_channel_counts_type; @@ -1199,9 +1198,18 @@ static int i7core_create_sysfs_devices(s rc = device_add(pvt->chancounts_dev); if (rc < 0) - return rc; + goto err_put_chancounts; } return 0; + +err_put_chancounts: + put_device(pvt->chancounts_dev); +err_del_addrmatch: + device_del(pvt->addrmatch_dev); +err_put_addrmatch: + put_device(pvt->addrmatch_dev); + + return rc; } static void i7core_delete_sysfs_devices(struct mem_ctl_info *mci) @@ -1211,11 +1219,11 @@ static void i7core_delete_sysfs_devices( edac_dbg(1, "\n"); if (!pvt->is_registered) { - put_device(pvt->chancounts_dev); device_del(pvt->chancounts_dev); + put_device(pvt->chancounts_dev); } - put_device(pvt->addrmatch_dev); device_del(pvt->addrmatch_dev); + put_device(pvt->addrmatch_dev); } /****************************************************************************