Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp2015826pxa; Mon, 24 Aug 2020 02:36:44 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyvYUTgLYksdP2Umcm8mxGJgCby6KNYT4VjL7kWjYbzaP0KlKJyKCyzrDN+8ErtEQqH7CJk X-Received: by 2002:a17:906:688c:: with SMTP id n12mr4717050ejr.3.1598261803815; Mon, 24 Aug 2020 02:36:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1598261803; cv=none; d=google.com; s=arc-20160816; b=pyLv1Q3q/KwScwA5L+apP1gbrxHA4jQqYZArkcm56HS/8bAktumh4QYXixIaBrS27/ q49n5YFvchqarg/hvu95qXvdtN6UxaoJ+db7OLFoh6W6PZl5jOaolFL1+e5AWNb2hQsC ZOxRwMuQ5Ok5aPkywOldPiglMRn+m79ZDHoPb3S/UowV3x9qKgPivWSJaChzX3R3dH7/ l3SOzFuvvbJQ2pjLdL2Oz7VYqwsiHw3QluGtM6AI2ZqDkk3OtlGkbqZ3LQ6+7fYSzsvd 137N9jQjxcwX+Uwwsi2gavYZBdxLzKo1nmYwUHFUeLvfh33bJf7Ifb83MATz3g+KvMcm ygMg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=zDiYUFquth7cyRebjTDkbtYp+6xmfLZ57umDUURK8BE=; b=fHYZjvf0kF/jdytuTY4wKd3wEOBN8ZhruxPv5q1xTnd3boynW2mv8qZG+Lh/iGfQ5t f+fKH156YCH7GjWi7AF6ZRVhmK0duX0HZO+CSTWHZbuHZ5kEhOfbxPmiuQ12cuB5+Jtm NukFCWpq6JQ6Gkz4m6v2ENtgrLEMjMmFzhDDbx70ayW9PGbJuIOlUIi+19dZPX2ErPJk TamqrLDvEHYw7J6cTuzZFvGkyQHuo7W+TiYDBVMe8hruHi1fvKj/qIl8d2y2l4La64ha jIxOEH8dHUMSuye+CzgsbZzir9PpFdw54F5ViuQr9CPU5lDqRM+fL1CSlz6S3mfmEvl8 t97Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=jbuFPrqn; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id i19si3778670ejg.457.2020.08.24.02.36.21; Mon, 24 Aug 2020 02:36:43 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=jbuFPrqn; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725907AbgHXJdx (ORCPT + 99 others); Mon, 24 Aug 2020 05:33:53 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36464 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728241AbgHXItl (ORCPT ); Mon, 24 Aug 2020 04:49:41 -0400 Received: from mail-wr1-x444.google.com (mail-wr1-x444.google.com [IPv6:2a00:1450:4864:20::444]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 51E00C061573 for ; Mon, 24 Aug 2020 01:49:40 -0700 (PDT) Received: by mail-wr1-x444.google.com with SMTP id a5so7833494wrm.6 for ; Mon, 24 Aug 2020 01:49:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:content-transfer-encoding:in-reply-to; bh=zDiYUFquth7cyRebjTDkbtYp+6xmfLZ57umDUURK8BE=; b=jbuFPrqnGdZkpuf0OoZ4MhNtVoU3u8mDO+7eohccVgR+/Ufb34v5QUQ1egDxgLLvit ny7igxC9wkACDhQkRr6+LAbF0s6BZERAJWLkn2TjC/jSUayf/7jKcIgTD9BRh5sfwpek 3/+3sXt8ISswLoWakmDyEnDaPXmLm0rh8qkSMNTJprXWyqxrRniGADdppFvoknlBT2H9 BREN1po5rN1VfvrAmPoB1o/kZrHjxz4JW0t7F0oAXyOIyCTU66lSBtz6JvHjU2z7VNOd d50rMA6vUVl/W1kA/QnRMVU/hyLBhrX12Kx4r7jko5z9Rat7BgJB18ZW2Wq6kUhA4+63 W+Ww== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:content-transfer-encoding :in-reply-to; bh=zDiYUFquth7cyRebjTDkbtYp+6xmfLZ57umDUURK8BE=; b=hIjWu/ivfLIrz3m2NBA0vj1Wu2jraEwMXJo4HxRv5ccAgE2VQ7n54L7n924cdGhVT9 yvrLqqT95Vh4dyv36BytDAUaIXYW0xAJriIqyTQKWfaMimPOfgdXfcIE5lQDR6hpBagn DnpnjQyv6NyBYcz+uurpQA1V6AIPciL2/vovtZAfh9KrROgME3yDV0ruSxO1T5ZfAXIy PgWb4Rz3eaSdWsH4Hn4xUM6Coc/WIo8fTJhig+F+pj5tslN6qa6zwk31q4cJLUYXUvFu Ott3VMxA2vtmysZJJxPBb9xh3opy6/VRkBBz0tGU9oBQrJASXfp18aLahY4ZuFVuHdcM jS3Q== X-Gm-Message-State: AOAM5310pAGxjxw0hNAn042mj9YtkLrM6ffzDiTO19bbJE5ettDKS75Q MgJM4XrYcN5qpMzOXO3g9y4swA== X-Received: by 2002:a5d:6692:: with SMTP id l18mr4730824wru.211.1598258977851; Mon, 24 Aug 2020 01:49:37 -0700 (PDT) Received: from dell ([95.149.164.62]) by smtp.gmail.com with ESMTPSA id n205sm12973788wma.47.2020.08.24.01.49.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 24 Aug 2020 01:49:37 -0700 (PDT) Date: Mon, 24 Aug 2020 09:49:35 +0100 From: Lee Jones To: Marek Szyprowski Cc: Dmitry Osipenko , linux-kernel@vger.kernel.org Subject: Re: [PATCH v1] mfd: core: Fix double-free in mfd_remove_devices_fn() Message-ID: <20200824084935.GJ3248864@dell> References: <20200817235048.24577-1-digetx@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 24 Aug 2020, Marek Szyprowski wrote: > Hi > > On 18.08.2020 01:50, Dmitry Osipenko wrote: > > The pdev.mfd_cell is released by platform_device_release(), which is > > invoked by platform_device_unregister(). Hence mfd_remove_devices_fn() > > shouldn't release the cell variable. The double-free bug is reported KASAN > > during of MFD driver module removal. > > > > Fixes: 466a62d7642f ("mfd: core: Make a best effort attempt to match devices with the correct of_nodes") > > Signed-off-by: Dmitry Osipenko > > --- > > I've reported that almost a week earlier and got information that it > will be dropped: > > https://lore.kernel.org/lkml/79bcd1b5-2247-5e00-7d49-2f94f9b40744@samsung.com/ > > https://lore.kernel.org/lkml/20200813080100.GI4354@dell/ > > Sadly it finally landed in v5.9-rc1. Would be nice to mention this in > the revert: That's true. The patch was taken out but the change managed to get in via another commit. I will add your Reported-by to the revert. > Reported-by: Marek Szyprowski > > > drivers/mfd/mfd-core.c | 2 -- > > 1 file changed, 2 deletions(-) > > > > diff --git a/drivers/mfd/mfd-core.c b/drivers/mfd/mfd-core.c > > index c3651f06684f..c50718e3db58 100644 > > --- a/drivers/mfd/mfd-core.c > > +++ b/drivers/mfd/mfd-core.c > > @@ -370,8 +370,6 @@ static int mfd_remove_devices_fn(struct device *dev, void *data) > > regulator_bulk_unregister_supply_alias(dev, cell->parent_supplies, > > cell->num_parent_supplies); > > > > - kfree(cell); > > - > > platform_device_unregister(pdev); > > return 0; > > } > > Best regards -- Lee Jones [李琼斯] Senior Technical Lead - Developer Services Linaro.org │ Open source software for Arm SoCs Follow Linaro: Facebook | Twitter | Blog