Received: by 2002:a25:7ec1:0:0:0:0:0 with SMTP id z184csp2112811ybc; Wed, 20 Nov 2019 09:06:02 -0800 (PST) X-Google-Smtp-Source: APXvYqwymoOGTw/yHCvG5bEbF9IQ7vN18FkydSa4lJmq9iTOW1lRNhTPcUvPdD/4ltVi/+20oy+2 X-Received: by 2002:ac8:7b3c:: with SMTP id l28mr3755804qtu.62.1574269562197; Wed, 20 Nov 2019 09:06:02 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1574269562; cv=none; d=google.com; s=arc-20160816; b=uGyEDRtAWH9k7SS2XhTWtMKWhX6BGGAddKLjnr4cnFi1klLDX+6wOUiKDZ8WGbYSQw 0G+Rjup6P2QydrIjbemnzhChhrDwLJCYFXLQhZ7+DaIC/vZzdPeRAs2Xq9tJXnHTVFX1 0W5aeXNzufSrP+mwHYVz/1VgNNxFfkNd5IsGPUUrOpqXJU0E32WiKZLYFJaZ6AQGG2Pl FbZw8ytfysSj0GOi0feqLwwHs1r/g2RQZLVRFVLXEcueIYrGc6YCcB+e5BZIWJSSHtU/ xrNobHAwVQdb4HxcyEnnFQfLWArgOv06W027+faRifzbkxqtXB6wTIdg6QRoD09GhN/i XeCQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-language :content-transfer-encoding:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=U/IHLuVtLZjACOdcN3P5gwhxaatNrYGWte5nBGs0T/Q=; b=a+uvxMFHnp2V/rXprvAHqt6hzkysBMRqvJhZUq5sjLzG0JLi6csYkKBJhLeF977Iki KbyppkdttJYQGwFQWz51jCit6bb4/zkk7DCRdp/3gewmzjLWRcprQ5EGh25q1zz9NKfI LZ/pnvgivHAQD5lr6arL07XxmHmAq7nVKPJRcfBw+ZqgXLiNm+WPSzYeKAYQXe41NN1y EEcxLe1hKaoJ9/zH2dmGSQmHxsb6uXNcJwTZ6jdicYapqUrFIGeHCx+161cJQpWSsNkl tvQM7XIp0uL3p5iyeiUajJ8rGIiNO7uYpk9t4zGO2pjiHRycGB86j6ApIQ9ubcT9FMvF tLhQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y26si18680027edb.360.2019.11.20.09.05.07; Wed, 20 Nov 2019 09:06:02 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730613AbfKTNb4 (ORCPT + 99 others); Wed, 20 Nov 2019 08:31:56 -0500 Received: from out30-56.freemail.mail.aliyun.com ([115.124.30.56]:42486 "EHLO out30-56.freemail.mail.aliyun.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727915AbfKTNbz (ORCPT ); Wed, 20 Nov 2019 08:31:55 -0500 X-Alimail-AntiSpam: AC=PASS;BC=-1|-1;BR=01201311R181e4;CH=green;DM=||false|;FP=0|-1|-1|-1|0|-1|-1|-1;HT=e01e07486;MF=wenyang@linux.alibaba.com;NM=1;PH=DS;RN=5;SR=0;TI=SMTPD_---0TieOpS3_1574256711; Received: from IT-C02W23QPG8WN.local(mailfrom:wenyang@linux.alibaba.com fp:SMTPD_---0TieOpS3_1574256711) by smtp.aliyun-inc.com(127.0.0.1); Wed, 20 Nov 2019 21:31:51 +0800 Subject: Re: [PATCH] intel_th: avoid double free in error flow To: Alexander Shishkin Cc: zhiche.yy@alibaba-inc.com, xlpang@linux.alibaba.com, Greg Kroah-Hartman , linux-kernel@vger.kernel.org References: <20191119173447.2454-1-wenyang@linux.alibaba.com> <87y2wad7e5.fsf@ashishki-desk.ger.corp.intel.com> From: Wen Yang Message-ID: <7e2a501f-955a-5bd1-f70d-ad69e7223981@linux.alibaba.com> Date: Wed, 20 Nov 2019 21:31:51 +0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:68.0) Gecko/20100101 Thunderbird/68.1.1 MIME-Version: 1.0 In-Reply-To: <87y2wad7e5.fsf@ashishki-desk.ger.corp.intel.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2019/11/20 9:06 下午, Alexander Shishkin wrote: > Wen Yang writes: > >> There is a possible double free issue in intel_th_subdevice_alloc: >> >> 651 err = intel_th_device_add_resources(thdev, res, subdev->nres); >> 652 if (err) { >> 653 put_device(&thdev->dev); >> 654 goto fail_put_device; ---> freed >> 655 } >> ... >> 687 fail_put_device: >> 688 put_device(&thdev->dev); ---> double freed >> 689 >> >> This patch fix it by removing the unnecessary put_device(). > Unnecessary is a too generous term here. > >> Fixes: a753bfcfdb1f ("intel_th: Make the switch allocate its subdevices") >> Signed-off-by: Wen Yang >> Cc: Alexander Shishkin >> Cc: Greg Kroah-Hartman >> Cc: linux-kernel@vger.kernel.org > Cc: stable@ is missing. > >> --- >> drivers/hwtracing/intel_th/core.c | 4 +--- >> 1 file changed, 1 insertion(+), 3 deletions(-) >> >> diff --git a/drivers/hwtracing/intel_th/core.c b/drivers/hwtracing/intel_th/core.c >> index d5c1821..98d195c 100644 >> --- a/drivers/hwtracing/intel_th/core.c >> +++ b/drivers/hwtracing/intel_th/core.c >> @@ -649,10 +649,8 @@ static inline void intel_th_request_hub_module_flush(struct intel_th *th) >> } >> >> err = intel_th_device_add_resources(thdev, res, subdev->nres); >> - if (err) { >> - put_device(&thdev->dev); >> + if (err) >> goto fail_put_device; >> - } > What about the second instance of the same problem a few lines lower? > Thanks, > -- > Alex Hi Alex, Thank you for your comments. Another example after a few lines lower:         err = device_add(&thdev->dev);         if (err) {                  put_device(&thdev->dev);                  goto fail_free_res;          } device_add() has increased the reference count, so when it returns an error, an additional call to put_device() is needed here to reduce the reference count. So the code in this place is correct. -- Regards, Wen