linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH v2] acpi: Fix use-after-free in acpi_ipmi.c
@ 2020-11-26  1:26 Youling Tang
  2020-11-26 14:22 ` Rafael J. Wysocki
  0 siblings, 1 reply; 3+ messages in thread
From: Youling Tang @ 2020-11-26  1:26 UTC (permalink / raw)
  To: Rafael J. Wysocki, Len Brown; +Cc: linux-acpi, linux-kernel

kfree() has been called inside put_device so anther kfree would cause a
use-after-free bug.

Signed-off-by: Youling Tang <tangyouling@loongson.cn>
---
 drivers/acpi/acpi_ipmi.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/drivers/acpi/acpi_ipmi.c b/drivers/acpi/acpi_ipmi.c
index 9d6c0fc..18edf8b 100644
--- a/drivers/acpi/acpi_ipmi.c
+++ b/drivers/acpi/acpi_ipmi.c
@@ -142,7 +142,6 @@ static void ipmi_dev_release(struct acpi_ipmi_device *ipmi_device)
 {
 	ipmi_destroy_user(ipmi_device->user_interface);
 	put_device(ipmi_device->dev);
-	kfree(ipmi_device);
 }
 
 static void ipmi_dev_release_kref(struct kref *kref)
-- 
2.1.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH v2] acpi: Fix use-after-free in acpi_ipmi.c
  2020-11-26  1:26 [PATCH v2] acpi: Fix use-after-free in acpi_ipmi.c Youling Tang
@ 2020-11-26 14:22 ` Rafael J. Wysocki
  2020-11-27  6:17   ` Youling Tang
  0 siblings, 1 reply; 3+ messages in thread
From: Rafael J. Wysocki @ 2020-11-26 14:22 UTC (permalink / raw)
  To: Youling Tang
  Cc: Rafael J. Wysocki, Len Brown, ACPI Devel Maling List,
	Linux Kernel Mailing List

On Thu, Nov 26, 2020 at 2:26 AM Youling Tang <tangyouling@loongson.cn> wrote:
>
> kfree() has been called inside put_device so anther kfree would cause a
> use-after-free bug.
>
> Signed-off-by: Youling Tang <tangyouling@loongson.cn>
> ---
>  drivers/acpi/acpi_ipmi.c | 1 -
>  1 file changed, 1 deletion(-)
>
> diff --git a/drivers/acpi/acpi_ipmi.c b/drivers/acpi/acpi_ipmi.c
> index 9d6c0fc..18edf8b 100644
> --- a/drivers/acpi/acpi_ipmi.c
> +++ b/drivers/acpi/acpi_ipmi.c
> @@ -142,7 +142,6 @@ static void ipmi_dev_release(struct acpi_ipmi_device *ipmi_device)
>  {
>         ipmi_destroy_user(ipmi_device->user_interface);
>         put_device(ipmi_device->dev);

Does putting ipmi_device->dev (which is a different object than
ipmi_device itself) really cause ipmi_device to be freed
automatically?  If not, the change below will introduce a memory leak.

> -       kfree(ipmi_device);
>  }
>
>  static void ipmi_dev_release_kref(struct kref *kref)
> --

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH v2] acpi: Fix use-after-free in acpi_ipmi.c
  2020-11-26 14:22 ` Rafael J. Wysocki
@ 2020-11-27  6:17   ` Youling Tang
  0 siblings, 0 replies; 3+ messages in thread
From: Youling Tang @ 2020-11-27  6:17 UTC (permalink / raw)
  To: Rafael J. Wysocki
  Cc: Rafael J. Wysocki, Len Brown, ACPI Devel Maling List,
	Linux Kernel Mailing List

Hi,

On 11/26/2020 10:22 PM, Rafael J. Wysocki wrote:
> On Thu, Nov 26, 2020 at 2:26 AM Youling Tang <tangyouling@loongson.cn> wrote:
>> kfree() has been called inside put_device so anther kfree would cause a
>> use-after-free bug.
>>
>> Signed-off-by: Youling Tang <tangyouling@loongson.cn>
>> ---
>>   drivers/acpi/acpi_ipmi.c | 1 -
>>   1 file changed, 1 deletion(-)
>>
>> diff --git a/drivers/acpi/acpi_ipmi.c b/drivers/acpi/acpi_ipmi.c
>> index 9d6c0fc..18edf8b 100644
>> --- a/drivers/acpi/acpi_ipmi.c
>> +++ b/drivers/acpi/acpi_ipmi.c
>> @@ -142,7 +142,6 @@ static void ipmi_dev_release(struct acpi_ipmi_device *ipmi_device)
>>   {
>>          ipmi_destroy_user(ipmi_device->user_interface);
>>          put_device(ipmi_device->dev);
> Does putting ipmi_device->dev (which is a different object than
> ipmi_device itself) really cause ipmi_device to be freed
> automatically?  If not, the change below will introduce a memory leak.
>
ipmi_device will be free so that there is no memory leak.
Similar to the following:
https://lore.kernel.org/patchwork/patch/1342136/

Thanks,
Youling.
>> -       kfree(ipmi_device);
>>   }
>>
>>   static void ipmi_dev_release_kref(struct kref *kref)
>> --


^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-11-27  6:17 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-11-26  1:26 [PATCH v2] acpi: Fix use-after-free in acpi_ipmi.c Youling Tang
2020-11-26 14:22 ` Rafael J. Wysocki
2020-11-27  6:17   ` Youling Tang

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).