* [PATCH v1] mfd: core: Fix double-free in mfd_remove_devices_fn() @ 2020-08-17 23:50 ` Dmitry Osipenko 2020-08-21 14:46 ` Lee Jones 2020-08-24 8:38 ` Marek Szyprowski 0 siblings, 2 replies; 4+ messages in thread From: Dmitry Osipenko @ 2020-08-17 23:50 UTC (permalink / raw) To: Lee Jones; +Cc: linux-kernel The pdev.mfd_cell is released by platform_device_release(), which is invoked by platform_device_unregister(). Hence mfd_remove_devices_fn() shouldn't release the cell variable. The double-free bug is reported KASAN during of MFD driver module removal. Fixes: 466a62d7642f ("mfd: core: Make a best effort attempt to match devices with the correct of_nodes") Signed-off-by: Dmitry Osipenko <digetx@gmail.com> --- drivers/mfd/mfd-core.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/drivers/mfd/mfd-core.c b/drivers/mfd/mfd-core.c index c3651f06684f..c50718e3db58 100644 --- a/drivers/mfd/mfd-core.c +++ b/drivers/mfd/mfd-core.c @@ -370,8 +370,6 @@ static int mfd_remove_devices_fn(struct device *dev, void *data) regulator_bulk_unregister_supply_alias(dev, cell->parent_supplies, cell->num_parent_supplies); - kfree(cell); - platform_device_unregister(pdev); return 0; } -- 2.27.0 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH v1] mfd: core: Fix double-free in mfd_remove_devices_fn() 2020-08-17 23:50 ` [PATCH v1] mfd: core: Fix double-free in mfd_remove_devices_fn() Dmitry Osipenko @ 2020-08-21 14:46 ` Lee Jones 2020-08-24 8:38 ` Marek Szyprowski 1 sibling, 0 replies; 4+ messages in thread From: Lee Jones @ 2020-08-21 14:46 UTC (permalink / raw) To: Dmitry Osipenko; +Cc: linux-kernel On Tue, 18 Aug 2020, Dmitry Osipenko wrote: > The pdev.mfd_cell is released by platform_device_release(), which is > invoked by platform_device_unregister(). Hence mfd_remove_devices_fn() > shouldn't release the cell variable. The double-free bug is reported KASAN > during of MFD driver module removal. > > Fixes: 466a62d7642f ("mfd: core: Make a best effort attempt to match devices with the correct of_nodes") > Signed-off-by: Dmitry Osipenko <digetx@gmail.com> > --- > drivers/mfd/mfd-core.c | 2 -- > 1 file changed, 2 deletions(-) Applied, thanks. -- Lee Jones [李琼斯] Senior Technical Lead - Developer Services Linaro.org │ Open source software for Arm SoCs Follow Linaro: Facebook | Twitter | Blog ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH v1] mfd: core: Fix double-free in mfd_remove_devices_fn() 2020-08-17 23:50 ` [PATCH v1] mfd: core: Fix double-free in mfd_remove_devices_fn() Dmitry Osipenko 2020-08-21 14:46 ` Lee Jones @ 2020-08-24 8:38 ` Marek Szyprowski 2020-08-24 8:49 ` Lee Jones 1 sibling, 1 reply; 4+ messages in thread From: Marek Szyprowski @ 2020-08-24 8:38 UTC (permalink / raw) To: Dmitry Osipenko, Lee Jones; +Cc: linux-kernel Hi On 18.08.2020 01:50, Dmitry Osipenko wrote: > The pdev.mfd_cell is released by platform_device_release(), which is > invoked by platform_device_unregister(). Hence mfd_remove_devices_fn() > shouldn't release the cell variable. The double-free bug is reported KASAN > during of MFD driver module removal. > > Fixes: 466a62d7642f ("mfd: core: Make a best effort attempt to match devices with the correct of_nodes") > Signed-off-by: Dmitry Osipenko <digetx@gmail.com> > --- I've reported that almost a week earlier and got information that it will be dropped: https://lore.kernel.org/lkml/79bcd1b5-2247-5e00-7d49-2f94f9b40744@samsung.com/ https://lore.kernel.org/lkml/20200813080100.GI4354@dell/ Sadly it finally landed in v5.9-rc1. Would be nice to mention this in the revert: Reported-by: Marek Szyprowski <m.szyprowski@samsung.com> > drivers/mfd/mfd-core.c | 2 -- > 1 file changed, 2 deletions(-) > > diff --git a/drivers/mfd/mfd-core.c b/drivers/mfd/mfd-core.c > index c3651f06684f..c50718e3db58 100644 > --- a/drivers/mfd/mfd-core.c > +++ b/drivers/mfd/mfd-core.c > @@ -370,8 +370,6 @@ static int mfd_remove_devices_fn(struct device *dev, void *data) > regulator_bulk_unregister_supply_alias(dev, cell->parent_supplies, > cell->num_parent_supplies); > > - kfree(cell); > - > platform_device_unregister(pdev); > return 0; > } Best regards -- Marek Szyprowski, PhD Samsung R&D Institute Poland ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH v1] mfd: core: Fix double-free in mfd_remove_devices_fn() 2020-08-24 8:38 ` Marek Szyprowski @ 2020-08-24 8:49 ` Lee Jones 0 siblings, 0 replies; 4+ messages in thread From: Lee Jones @ 2020-08-24 8:49 UTC (permalink / raw) To: Marek Szyprowski; +Cc: Dmitry Osipenko, linux-kernel On Mon, 24 Aug 2020, Marek Szyprowski wrote: > Hi > > On 18.08.2020 01:50, Dmitry Osipenko wrote: > > The pdev.mfd_cell is released by platform_device_release(), which is > > invoked by platform_device_unregister(). Hence mfd_remove_devices_fn() > > shouldn't release the cell variable. The double-free bug is reported KASAN > > during of MFD driver module removal. > > > > Fixes: 466a62d7642f ("mfd: core: Make a best effort attempt to match devices with the correct of_nodes") > > Signed-off-by: Dmitry Osipenko <digetx@gmail.com> > > --- > > I've reported that almost a week earlier and got information that it > will be dropped: > > https://lore.kernel.org/lkml/79bcd1b5-2247-5e00-7d49-2f94f9b40744@samsung.com/ > > https://lore.kernel.org/lkml/20200813080100.GI4354@dell/ > > Sadly it finally landed in v5.9-rc1. Would be nice to mention this in > the revert: That's true. The patch was taken out but the change managed to get in via another commit. I will add your Reported-by to the revert. > Reported-by: Marek Szyprowski <m.szyprowski@samsung.com> > > > drivers/mfd/mfd-core.c | 2 -- > > 1 file changed, 2 deletions(-) > > > > diff --git a/drivers/mfd/mfd-core.c b/drivers/mfd/mfd-core.c > > index c3651f06684f..c50718e3db58 100644 > > --- a/drivers/mfd/mfd-core.c > > +++ b/drivers/mfd/mfd-core.c > > @@ -370,8 +370,6 @@ static int mfd_remove_devices_fn(struct device *dev, void *data) > > regulator_bulk_unregister_supply_alias(dev, cell->parent_supplies, > > cell->num_parent_supplies); > > > > - kfree(cell); > > - > > platform_device_unregister(pdev); > > return 0; > > } > > Best regards -- Lee Jones [李琼斯] Senior Technical Lead - Developer Services Linaro.org │ Open source software for Arm SoCs Follow Linaro: Facebook | Twitter | Blog ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-08-24 9:51 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <CGME20200824083847eucas1p2e5fee0790df8f21934d99e848dc14afe@eucas1p2.samsung.com>
2020-08-17 23:50 ` [PATCH v1] mfd: core: Fix double-free in mfd_remove_devices_fn() Dmitry Osipenko
2020-08-21 14:46 ` Lee Jones
2020-08-24 8:38 ` Marek Szyprowski
2020-08-24 8:49 ` Lee Jones
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox