From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754913AbdDDU0s (ORCPT ); Tue, 4 Apr 2017 16:26:48 -0400 Received: from imap0.codethink.co.uk ([185.43.218.159]:50089 "EHLO imap0.codethink.co.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753876AbdDDU0r (ORCPT ); Tue, 4 Apr 2017 16:26:47 -0400 Message-ID: <1491337598.10415.10.camel@codethink.co.uk> Subject: Re: [PATCH 4.4 74/76] serial: 8250_pci: Detach low-level driver during PCI error recovery From: Ben Hutchings To: Greg Kroah-Hartman , Gabriel Krisman Bertazi Cc: linux-kernel@vger.kernel.org, stable@vger.kernel.org, Sasha Levin , Sumit Semwal Date: Tue, 04 Apr 2017 21:26:38 +0100 In-Reply-To: <20170328122602.961021667@linuxfoundation.org> References: <20170328122559.966310440@linuxfoundation.org> <20170328122602.961021667@linuxfoundation.org> Organization: Codethink Ltd. Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.12.9-1+b1 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, 2017-03-28 at 14:31 +0200, Greg Kroah-Hartman wrote: [...] > static void serial8250_io_resume(struct pci_dev *dev) > { > struct serial_private *priv = pci_get_drvdata(dev); > + const struct pciserial_board *board; > > - if (priv) > - pciserial_resume_ports(priv); > + if (!priv) > + return; > + > + board = priv->board; > + kfree(priv); > + priv = pciserial_init_ports(dev, board); > + > + if (!IS_ERR(priv)) { > + pci_set_drvdata(dev, priv); > + } > } On error, this leaves drvdata as a dangling pointer. Removing the device or driver will then cause a use-after-free. (And setting drvdata to NULL isn't enough to fix this as there is no null pointer check in pciserial_remove_ports().) Ben. -- Ben Hutchings Software Developer, Codethink Ltd.