From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
To: Heikki Krogerus <heikki.krogerus@linux.intel.com>,
"Rafael J. Wysocki" <rjw@rjwysocki.net>
Cc: Mika Westerberg <mika.westerberg@linux.intel.com>,
John Youn <John.Youn@synopsys.com>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH 2/2] device property: fix for a case of use-after-free
Date: Mon, 22 Feb 2016 17:40:50 +0200 [thread overview]
Message-ID: <1456155650.13244.24.camel@linux.intel.com> (raw)
In-Reply-To: <1456152641-127948-3-git-send-email-heikki.krogerus@linux.intel.com>
On Mon, 2016-02-22 at 16:50 +0200, Heikki Krogerus wrote:
> In device_remove_property_set(), if the primary fwnode is
> of type "pset", it has to be set pointing to NULL before
> calling set_secondary_fwnode(). Otherwise
> set_secondary_fwnode() will attempt to set the
> fwnode->secondary member after the fwnode has been freed.
>
> Reported-by: John Youn <John.Youn@synopsys.com>
> Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
> ---
> drivers/base/property.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/base/property.c b/drivers/base/property.c
> index a163f2c..ddf2987 100644
> --- a/drivers/base/property.c
> +++ b/drivers/base/property.c
> @@ -820,7 +820,9 @@ void device_remove_property_set(struct device
> *dev)
> * the pset. If there is no real firmware node (ACPI/DT)
> primary
> * will hold the pset.
> */
> - if (!is_pset_node(fwnode))
> + if (is_pset_node(fwnode))
> + dev->fwnode = NULL;
> + else
> fwnode = fwnode->secondary;
> if (!IS_ERR(fwnode) && is_pset_node(fwnode))
> pset_free_set(to_pset_node(fwnode));
What if we do the following
--- a/drivers/base/property.c
+++ b/drivers/base/property.c
@@ -818,9 +818,13 @@ void device_remove_property_set(struct device
*dev)
*/
if (!is_pset_node(fwnode))
fwnode = fwnode->secondary;
+
+ /* Set device fwnode to NULL before we free it */
+ set_secondary_fwnode(dev, NULL);
+
+ /* Free property set for the given device */
if (!IS_ERR(fwnode) && is_pset_node(fwnode))
pset_free_set(to_pset_node(fwnode));
- set_secondary_fwnode(dev, NULL);
}
EXPORT_SYMBOL_GPL(device_remove_property_set);
?
--
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Intel Finland Oy
next prev parent reply other threads:[~2016-02-22 15:40 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-02-22 14:50 [PATCH 0/2] device property: fix for couple of bugs Heikki Krogerus
2016-02-22 14:50 ` [PATCH 1/2] device property: fwnode->secondary may contain ERR_PTR(-ENODEV) Heikki Krogerus
2016-02-22 14:50 ` [PATCH 2/2] device property: fix for a case of use-after-free Heikki Krogerus
2016-02-22 15:40 ` Andy Shevchenko [this message]
2016-02-22 17:04 ` Shevchenko, Andriy
2016-02-23 23:37 ` Rafael J. Wysocki
2016-02-26 8:04 ` Heikki Krogerus
2016-02-26 10:36 ` Heikki Krogerus
2016-02-23 23:37 ` [PATCH 0/2] device property: fix for couple of bugs Rafael J. Wysocki
2016-02-26 8:02 ` Heikki Krogerus
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1456155650.13244.24.camel@linux.intel.com \
--to=andriy.shevchenko@linux.intel.com \
--cc=John.Youn@synopsys.com \
--cc=heikki.krogerus@linux.intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mika.westerberg@linux.intel.com \
--cc=rjw@rjwysocki.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox