From: Niklas Cassel <cassel@kernel.org>
To: Damien Le Moal <dlemoal@kernel.org>,
Niklas Cassel <cassel@kernel.org>,
Colin Ian King <colin.i.king@gmail.com>,
Tejun Heo <tj@kernel.org>
Cc: linux-scsi@vger.kernel.org, John Garry <john.g.garry@oracle.com>,
Jason Yan <yanaijie@huawei.com>,
"Martin K. Petersen" <martin.petersen@oracle.com>,
"James E.J. Bottomley" <James.Bottomley@HansenPartnership.com>,
stable@vger.kernel.org, linux-ide@vger.kernel.org
Subject: [PATCH v2 02/13] ata: libata-core: Fix double free on error
Date: Wed, 26 Jun 2024 20:00:32 +0200 [thread overview]
Message-ID: <20240626180031.4050226-17-cassel@kernel.org> (raw)
In-Reply-To: <20240626180031.4050226-15-cassel@kernel.org>
If e.g. the ata_port_alloc() call in ata_host_alloc() fails, we will jump
to the err_out label, which will call devres_release_group().
devres_release_group() will trigger a call to ata_host_release().
ata_host_release() calls kfree(host), so executing the kfree(host) in
ata_host_alloc() will lead to a double free:
kernel BUG at mm/slub.c:553!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
CPU: 11 PID: 599 Comm: (udev-worker) Not tainted 6.10.0-rc5 #47
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014
RIP: 0010:kfree+0x2cf/0x2f0
Code: 5d 41 5e 41 5f 5d e9 80 d6 ff ff 4d 89 f1 41 b8 01 00 00 00 48 89 d9 48 89 da
RSP: 0018:ffffc90000f377f0 EFLAGS: 00010246
RAX: ffff888112b1f2c0 RBX: ffff888112b1f2c0 RCX: ffff888112b1f320
RDX: 000000000000400b RSI: ffffffffc02c9de5 RDI: ffff888112b1f2c0
RBP: ffffc90000f37830 R08: 0000000000000000 R09: 0000000000000000
R10: ffffc90000f37610 R11: 617461203a736b6e R12: ffffea00044ac780
R13: ffff888100046400 R14: ffffffffc02c9de5 R15: 0000000000000006
FS: 00007f2f1cabe980(0000) GS:ffff88813b380000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f2f1c3acf75 CR3: 0000000111724000 CR4: 0000000000750ef0
PKRU: 55555554
Call Trace:
<TASK>
? __die_body.cold+0x19/0x27
? die+0x2e/0x50
? do_trap+0xca/0x110
? do_error_trap+0x6a/0x90
? kfree+0x2cf/0x2f0
? exc_invalid_op+0x50/0x70
? kfree+0x2cf/0x2f0
? asm_exc_invalid_op+0x1a/0x20
? ata_host_alloc+0xf5/0x120 [libata]
? ata_host_alloc+0xf5/0x120 [libata]
? kfree+0x2cf/0x2f0
ata_host_alloc+0xf5/0x120 [libata]
ata_host_alloc_pinfo+0x14/0xa0 [libata]
ahci_init_one+0x6c9/0xd20 [ahci]
Ensure that we will not call kfree(host) twice, by performing the kfree()
only if the devres_open_group() call failed.
Fixes: dafd6c496381 ("libata: ensure host is free'd on error exit paths")
Cc: stable@vger.kernel.org
Signed-off-by: Niklas Cassel <cassel@kernel.org>
---
drivers/ata/libata-core.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
index 88e32f638f33..c916cbe3e099 100644
--- a/drivers/ata/libata-core.c
+++ b/drivers/ata/libata-core.c
@@ -5573,8 +5573,10 @@ struct ata_host *ata_host_alloc(struct device *dev, int max_ports)
if (!host)
return NULL;
- if (!devres_open_group(dev, NULL, GFP_KERNEL))
- goto err_free;
+ if (!devres_open_group(dev, NULL, GFP_KERNEL)) {
+ kfree(host);
+ return NULL;
+ }
dr = devres_alloc(ata_devres_release, 0, GFP_KERNEL);
if (!dr)
@@ -5606,8 +5608,6 @@ struct ata_host *ata_host_alloc(struct device *dev, int max_ports)
err_out:
devres_release_group(dev, NULL);
- err_free:
- kfree(host);
return NULL;
}
EXPORT_SYMBOL_GPL(ata_host_alloc);
--
2.45.2
next prev parent reply other threads:[~2024-06-26 18:01 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-26 18:00 [PATCH v2 00/13] ata,libsas: Assign the unique id used for printing earlier Niklas Cassel
2024-06-26 18:00 ` [PATCH v2 01/13] ata: libata-core: Fix null pointer dereference on error Niklas Cassel
2024-06-27 1:00 ` Damien Le Moal
2024-06-27 6:24 ` Hannes Reinecke
2024-06-26 18:00 ` Niklas Cassel [this message]
2024-06-27 1:02 ` [PATCH v2 02/13] ata: libata-core: Fix double free " Damien Le Moal
2024-06-27 6:25 ` Hannes Reinecke
2024-06-26 18:00 ` [PATCH v2 03/13] ata: ahci: Clean up sysfs file " Niklas Cassel
2024-06-26 18:34 ` Niklas Cassel
2024-06-27 1:04 ` Damien Le Moal
2024-06-27 6:28 ` Hannes Reinecke
2024-06-26 18:00 ` [PATCH v2 04/13] ata,scsi: Remove useless wrappers ata_sas_tport_{add,delete}() Niklas Cassel
2024-06-27 1:07 ` Damien Le Moal
2024-06-27 6:29 ` Hannes Reinecke
2024-06-26 18:00 ` [PATCH v2 05/13] ata,scsi: libata-core: Add ata_port_free() Niklas Cassel
2024-06-27 1:15 ` Damien Le Moal
2024-06-29 12:09 ` Niklas Cassel
2024-06-27 6:30 ` Hannes Reinecke
2024-06-26 18:00 ` [PATCH v2 06/13] ata: libata: Remove unused function declaration for ata_scsi_detect() Niklas Cassel
2024-06-27 1:16 ` Damien Le Moal
2024-06-27 6:31 ` Hannes Reinecke
2024-06-26 18:00 ` [PATCH v2 07/13] ata: libata-core: Remove support for decreasing the number of ports Niklas Cassel
2024-06-26 19:30 ` Niklas Cassel
2024-06-27 1:30 ` Damien Le Moal
2024-06-27 6:35 ` Hannes Reinecke
2024-06-29 12:24 ` Niklas Cassel
2024-06-26 18:00 ` [PATCH v2 08/13] ata: libata-sata: Remove superfluous assignment in ata_sas_port_alloc() Niklas Cassel
2024-06-27 1:31 ` Damien Le Moal
2024-06-27 6:37 ` Hannes Reinecke
2024-06-26 18:00 ` [PATCH v2 09/13] ata: libata-core: Remove local_port_no struct member Niklas Cassel
2024-06-27 1:33 ` Damien Le Moal
2024-06-27 6:37 ` Hannes Reinecke
2024-06-26 18:00 ` [PATCH v2 10/13] ata: libata: Assign print_id at port allocation time Niklas Cassel
2024-06-27 6:38 ` Hannes Reinecke
2024-06-26 18:00 ` [PATCH v2 11/13] ata: libata-core: Reuse available ata_port print_ids Niklas Cassel
2024-06-27 1:37 ` Damien Le Moal
2024-07-02 15:43 ` Niklas Cassel
2024-06-27 6:39 ` Hannes Reinecke
2024-06-28 16:31 ` kernel test robot
2024-06-28 18:15 ` Niklas Cassel
2024-06-26 18:00 ` [PATCH v2 12/13] ata,scsi: Remove useless ata_sas_port_alloc() wrapper Niklas Cassel
2024-06-27 1:46 ` Damien Le Moal
2024-06-27 9:48 ` Niklas Cassel
2024-06-28 3:46 ` Damien Le Moal
2024-06-27 6:40 ` Hannes Reinecke
2024-06-26 18:00 ` [PATCH v2 13/13] ata: ahci: Add debug print for external port Niklas Cassel
2024-06-27 6:40 ` Hannes Reinecke
2024-06-27 12:26 ` [PATCH v2 00/13] ata,libsas: Assign the unique id used for printing earlier John Garry
2024-06-27 12:32 ` Niklas Cassel
2024-06-27 12:54 ` John Garry
2024-06-27 15:07 ` Niklas Cassel
2024-07-02 15:43 ` Niklas Cassel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240626180031.4050226-17-cassel@kernel.org \
--to=cassel@kernel.org \
--cc=James.Bottomley@HansenPartnership.com \
--cc=colin.i.king@gmail.com \
--cc=dlemoal@kernel.org \
--cc=john.g.garry@oracle.com \
--cc=linux-ide@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=stable@vger.kernel.org \
--cc=tj@kernel.org \
--cc=yanaijie@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.