From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751951AbdHaQ5F (ORCPT ); Thu, 31 Aug 2017 12:57:05 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:48930 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751776AbdHaQ5E (ORCPT ); Thu, 31 Aug 2017 12:57:04 -0400 Date: Thu, 31 Aug 2017 18:57:08 +0200 From: Greg KH To: Christophe JAILLET Cc: linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: Re: [PATCH] driver core: bus: Fix a potential double free Message-ID: <20170831165708.GA26329@kroah.com> References: <20170829192349.15666-1-christophe.jaillet@wanadoo.fr> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20170829192349.15666-1-christophe.jaillet@wanadoo.fr> User-Agent: Mutt/1.8.3 (2017-05-23) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Aug 29, 2017 at 09:23:49PM +0200, Christophe JAILLET wrote: > The .release function of driver_ktype is 'driver_release()'. > This function frees the container_of this kobject. > > So, this memory must not be freed explicitly in the error handling path of > 'bus_add_driver()'. Otherwise a double free will occur. Oh, nice catch! > > Signed-off-by: Christophe JAILLET > --- > I have left the 'drv->p = NULL' even if it looks useless to me. It does not > hurt. I have also left a comment to explain why we do not free 'drv->p' > explicitly before zeroing this pointer. We need that for when people do static structures. Like as is done for drivers. Well, I think that's why we need it, can't really remember, might as well be safe, the error handling paths here are crazy at times... thnaks, greg k-h