[PATCH] regmap: Fix possible double-free in regcache_rbtree_exit()

[PATCH] regmap: Fix possible double-free in regcache_rbtree_exit()

[Yang Yingliang]

In regcache_rbtree_insert_to_block(), when 'present' realloc failed,
the 'blk' which is supposed to assign to 'rbnode->block' will be freed,
so 'rbnode->block' points a freed memory, in the error handling path of
regcache_rbtree_init(), 'rbnode->block' will be freed again in
regcache_rbtree_exit(), KASAN will report double-free as follows:

BUG: KASAN: double-free or invalid-free in kfree+0xce/0x390
Call Trace:
 dump_stack_lvl+0xe2/0x152
 print_address_description.constprop.7+0x21/0x150
 kasan_report_invalid_free+0x6f/0xa0
 __kasan_slab_free+0x125/0x140
 slab_free_freelist_hook+0x10d/0x240
 kfree+0xce/0x390
 regcache_rbtree_exit+0x15d/0x1a0
 regcache_rbtree_init+0x224/0x2c0
 regcache_init+0x88d/0x1310
 __regmap_init+0x3151/0x4a80
 __devm_regmap_init+0x7d/0x100
 madera_spi_probe+0x10f/0x333 [madera_spi]
 spi_probe+0x183/0x210
 really_probe+0x285/0xc30

Set rbnode->block to NULL when the 'present' realloc failed to fix this.

Reported-by: Hulk Robot <hulkci@huawei.com>
Fixes: 3f4ff561bc88b ("regmap: rbtree: Make cache_present bitmap per node")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
---
 drivers/base/regmap/regcache-rbtree.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/base/regmap/regcache-rbtree.c b/drivers/base/regmap/regcache-rbtree.c
index cfa29dc89bbf..125111688399 100644
--- a/drivers/base/regmap/regcache-rbtree.c
+++ b/drivers/base/regmap/regcache-rbtree.c
@@ -287,6 +287,7 @@ static int regcache_rbtree_insert_to_block(struct regmap *map,
 				   GFP_KERNEL);
 		if (!present) {
 			kfree(blk);
+			rbnode->block = NULL;
 			return -ENOMEM;
 		}
 
-- 
2.25.1

Re: [PATCH] regmap: Fix possible double-free in regcache_rbtree_exit()

[Mark Brown]

[-- Attachment #1: Type: text/plain, Size: 1470 bytes --]

On Mon, Oct 11, 2021 at 09:55:26PM +0800, Yang Yingliang wrote:
> In regcache_rbtree_insert_to_block(), when 'present' realloc failed,
> the 'blk' which is supposed to assign to 'rbnode->block' will be freed,
> so 'rbnode->block' points a freed memory, in the error handling path of
> regcache_rbtree_init(), 'rbnode->block' will be freed again in
> regcache_rbtree_exit(), KASAN will report double-free as follows:
> 
> BUG: KASAN: double-free or invalid-free in kfree+0xce/0x390
> Call Trace:
>  dump_stack_lvl+0xe2/0x152
>  print_address_description.constprop.7+0x21/0x150
>  kasan_report_invalid_free+0x6f/0xa0
>  __kasan_slab_free+0x125/0x140

Please think hard before including complete backtraces in upstream
reports, they are very large and contain almost no useful information
relative to their size so often obscure the relevant content in your
message. If part of the backtrace is usefully illustrative (it often is
for search engines if nothing else) then it's usually better to pull out
the relevant sections.

> Set rbnode->block to NULL when the 'present' realloc failed to fix this.

This is not a good fix, it will both leak block and corrupt the data
structure since now there's a NULL pointer where there should be a data
block.  We should instead be moving the assignment of rbnode->block up
to immediately after the reallocation has succeeded so that the data
structure stays valid even if the second reallocation fails.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [PATCH] regmap: Fix possible double-free in regcache_rbtree_exit()

[Yang Yingliang]

Hi,

On 2021/10/12 1:40, Mark Brown wrote:
> On Mon, Oct 11, 2021 at 09:55:26PM +0800, Yang Yingliang wrote:
>> In regcache_rbtree_insert_to_block(), when 'present' realloc failed,
>> the 'blk' which is supposed to assign to 'rbnode->block' will be freed,
>> so 'rbnode->block' points a freed memory, in the error handling path of
>> regcache_rbtree_init(), 'rbnode->block' will be freed again in
>> regcache_rbtree_exit(), KASAN will report double-free as follows:
>>
>> BUG: KASAN: double-free or invalid-free in kfree+0xce/0x390
>> Call Trace:
>>   dump_stack_lvl+0xe2/0x152
>>   print_address_description.constprop.7+0x21/0x150
>>   kasan_report_invalid_free+0x6f/0xa0
>>   __kasan_slab_free+0x125/0x140
> Please think hard before including complete backtraces in upstream
> reports, they are very large and contain almost no useful information
> relative to their size so often obscure the relevant content in your
> message. If part of the backtrace is usefully illustrative (it often is
> for search engines if nothing else) then it's usually better to pull out
> the relevant sections.
OK
>
>> Set rbnode->block to NULL when the 'present' realloc failed to fix this.
> This is not a good fix, it will both leak block and corrupt the data
> structure since now there's a NULL pointer where there should be a data
> block.  We should instead be moving the assignment of rbnode->block up
> to immediately after the reallocation has succeeded so that the data
> structure stays valid even if the second reallocation fails.
I will send a v2 later.

Thanks,
Yang