* [PATCH v2] acpi: Fix use-after-free in acpi_ipmi.c
@ 2020-11-26 1:26 Youling Tang
2020-11-26 14:22 ` Rafael J. Wysocki
0 siblings, 1 reply; 3+ messages in thread
From: Youling Tang @ 2020-11-26 1:26 UTC (permalink / raw)
To: Rafael J. Wysocki, Len Brown; +Cc: linux-acpi, linux-kernel
kfree() has been called inside put_device so anther kfree would cause a
use-after-free bug.
Signed-off-by: Youling Tang <tangyouling@loongson.cn>
---
drivers/acpi/acpi_ipmi.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/acpi/acpi_ipmi.c b/drivers/acpi/acpi_ipmi.c
index 9d6c0fc..18edf8b 100644
--- a/drivers/acpi/acpi_ipmi.c
+++ b/drivers/acpi/acpi_ipmi.c
@@ -142,7 +142,6 @@ static void ipmi_dev_release(struct acpi_ipmi_device *ipmi_device)
{
ipmi_destroy_user(ipmi_device->user_interface);
put_device(ipmi_device->dev);
- kfree(ipmi_device);
}
static void ipmi_dev_release_kref(struct kref *kref)
--
2.1.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH v2] acpi: Fix use-after-free in acpi_ipmi.c
2020-11-26 1:26 [PATCH v2] acpi: Fix use-after-free in acpi_ipmi.c Youling Tang
@ 2020-11-26 14:22 ` Rafael J. Wysocki
2020-11-27 6:17 ` Youling Tang
0 siblings, 1 reply; 3+ messages in thread
From: Rafael J. Wysocki @ 2020-11-26 14:22 UTC (permalink / raw)
To: Youling Tang
Cc: Rafael J. Wysocki, Len Brown, ACPI Devel Maling List,
Linux Kernel Mailing List
On Thu, Nov 26, 2020 at 2:26 AM Youling Tang <tangyouling@loongson.cn> wrote:
>
> kfree() has been called inside put_device so anther kfree would cause a
> use-after-free bug.
>
> Signed-off-by: Youling Tang <tangyouling@loongson.cn>
> ---
> drivers/acpi/acpi_ipmi.c | 1 -
> 1 file changed, 1 deletion(-)
>
> diff --git a/drivers/acpi/acpi_ipmi.c b/drivers/acpi/acpi_ipmi.c
> index 9d6c0fc..18edf8b 100644
> --- a/drivers/acpi/acpi_ipmi.c
> +++ b/drivers/acpi/acpi_ipmi.c
> @@ -142,7 +142,6 @@ static void ipmi_dev_release(struct acpi_ipmi_device *ipmi_device)
> {
> ipmi_destroy_user(ipmi_device->user_interface);
> put_device(ipmi_device->dev);
Does putting ipmi_device->dev (which is a different object than
ipmi_device itself) really cause ipmi_device to be freed
automatically? If not, the change below will introduce a memory leak.
> - kfree(ipmi_device);
> }
>
> static void ipmi_dev_release_kref(struct kref *kref)
> --
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH v2] acpi: Fix use-after-free in acpi_ipmi.c
2020-11-26 14:22 ` Rafael J. Wysocki
@ 2020-11-27 6:17 ` Youling Tang
0 siblings, 0 replies; 3+ messages in thread
From: Youling Tang @ 2020-11-27 6:17 UTC (permalink / raw)
To: Rafael J. Wysocki
Cc: Rafael J. Wysocki, Len Brown, ACPI Devel Maling List,
Linux Kernel Mailing List
Hi,
On 11/26/2020 10:22 PM, Rafael J. Wysocki wrote:
> On Thu, Nov 26, 2020 at 2:26 AM Youling Tang <tangyouling@loongson.cn> wrote:
>> kfree() has been called inside put_device so anther kfree would cause a
>> use-after-free bug.
>>
>> Signed-off-by: Youling Tang <tangyouling@loongson.cn>
>> ---
>> drivers/acpi/acpi_ipmi.c | 1 -
>> 1 file changed, 1 deletion(-)
>>
>> diff --git a/drivers/acpi/acpi_ipmi.c b/drivers/acpi/acpi_ipmi.c
>> index 9d6c0fc..18edf8b 100644
>> --- a/drivers/acpi/acpi_ipmi.c
>> +++ b/drivers/acpi/acpi_ipmi.c
>> @@ -142,7 +142,6 @@ static void ipmi_dev_release(struct acpi_ipmi_device *ipmi_device)
>> {
>> ipmi_destroy_user(ipmi_device->user_interface);
>> put_device(ipmi_device->dev);
> Does putting ipmi_device->dev (which is a different object than
> ipmi_device itself) really cause ipmi_device to be freed
> automatically? If not, the change below will introduce a memory leak.
>
ipmi_device will be free so that there is no memory leak.
Similar to the following:
https://lore.kernel.org/patchwork/patch/1342136/
Thanks,
Youling.
>> - kfree(ipmi_device);
>> }
>>
>> static void ipmi_dev_release_kref(struct kref *kref)
>> --
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-11-27 6:17 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-11-26 1:26 [PATCH v2] acpi: Fix use-after-free in acpi_ipmi.c Youling Tang
2020-11-26 14:22 ` Rafael J. Wysocki
2020-11-27 6:17 ` Youling Tang
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).