Received: by 2002:a05:6a10:a841:0:0:0:0 with SMTP id d1csp4546143pxy; Tue, 27 Apr 2021 07:29:54 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw7ClXkQNMUq3qaEQMbt3dwFGVKf+AWclBv8w6apOibN4sqdU6vSdfqaGdymogWpa+Cj7rP X-Received: by 2002:a05:6402:2808:: with SMTP id h8mr4727008ede.249.1619533793837; Tue, 27 Apr 2021 07:29:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1619533793; cv=none; d=google.com; s=arc-20160816; b=JSfwfTC34RY1Eu+HJQ45B4AYAOKQs1/rlkcdm7TvqofkOngr56OnfMwX6ULZL595Kc xAoo69Gqf66BLaneQW7CtSN9TaWt5M8BB5DBTtAi0xWJQi64hh6+RYL4XwUHjy3BNAmu e+zcyfJCIBQUceNgKw8Fh61d2+sjRgSrVG1AjD3i4KfPG2BMzF7r8iiSuS0Q2awpR7bt MEB+iUGRzupPxxiR38onCFssb+rc8n4Kun/joQHJYzK+W3lT92fJ+o1LmmostndF3blD HxODxYqpYnPTvh+aT2esnoM9J3qdEV1lHBauE33mcaj2dOHztvDbIeq7UlTWH+eMaHLw N9xA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=RwMvEObyLlKjSGQB/9hmAtzJSE09xxj6MxSNgN4PmDg=; b=jspN4dgxMdjwuSxZac/otpICJq9PerPZ0EcVcULGf5YCDfUOlcF8VnIXGMQNcnWB1y jGr5ve9UM6A/GSha24OAyG69k2ue8iBdpiDadJ3pQ1IMwkoaW9HY2wNHzHjJl4GTJuTC 57UaMkwjz44DKDH+8Xny4zyvC4GGW9pEpo5RSe5TZkTsh8LFftgWWBhCvujLxjvwHoH7 lsrGIPW+KYNWtN+6zLrw7Go1wC9L6l097jQlly24NWzK7JsadXntrFbyxfzeJZJYehfy k6irShnaAX2ZF8FSJDOE9PesozJWihleC1d/bKWT0y7FzRcYginc+tiuG+vcCyA6Q66U Rx1A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=agw3pihN; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id z6si597ejf.385.2021.04.27.07.29.30; Tue, 27 Apr 2021 07:29:53 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=agw3pihN; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237284AbhD0O0s (ORCPT + 99 others); Tue, 27 Apr 2021 10:26:48 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54030 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236358AbhD0O0s (ORCPT ); Tue, 27 Apr 2021 10:26:48 -0400 Received: from mail-wr1-x436.google.com (mail-wr1-x436.google.com [IPv6:2a00:1450:4864:20::436]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C0361C061574 for ; Tue, 27 Apr 2021 07:26:04 -0700 (PDT) Received: by mail-wr1-x436.google.com with SMTP id n2so6521707wrm.0 for ; Tue, 27 Apr 2021 07:26:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=RwMvEObyLlKjSGQB/9hmAtzJSE09xxj6MxSNgN4PmDg=; b=agw3pihNfoQx/rmG9lGzHPRnpPYrXsNJpXdMOjbVUrgEvLtwFuHTcLG/Sfu43S8NBu nvBbsuzaPjVoYOG+SJ+dVtTSdPN9fLNrfAULOBwFmVUvZCvMjPOfOByQJCzOldf+issf 7/tOx35F9DuZZJ+Q3T/4qYAPalHVxeYaNJPEvtrrmgw+DoX9Hty1rBdNgDfV8nQekwdJ wgcO4IYJrXCH1m1X0u5vTuCHeQYufzi499D6xFPXFhQLVRk3sJh2ZnIaceBGm/zsqNLU joy+IaBjekSq5EIx9r90YBcHNel+cn0r1JgvRfRFHGX2y66eauywKyGOqlwqizVpt2cW TTJA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=RwMvEObyLlKjSGQB/9hmAtzJSE09xxj6MxSNgN4PmDg=; b=S38eb4Efz26G/Fy7Mn4vr0fYE3BqEmT4u2HI/yv5mJHrzx31cYw0SR5N5U3jpqZRxo zs63iC36wD33qwuZfbUW5nvd5oRkm/4Nx9x6Xd5Co5aTUyd7Rkp7soOiceLVXuKj+yFi TGuV/oun3e7yBj+XhsTh6VtyQbZywQx7dgXyLlceqFZPAFN/N4bnQgniiCsBv7R4DT6g avtE2/jjDHmNatXB0a/uEVjnowdBBaj52BrkY09kIsw9+bFLvpg1LE7rShrBVvQ2VWL/ 0i8fKWwlLMBuwuAK+d+ahMUFyv29G9yZujkFmxqlWP+sKcEHP0YFBkoQnMTdvpKAW7PL fIBA== X-Gm-Message-State: AOAM532jVcP4CAZ1FkRocv9zwaqGDLEStINCOlsfbC0m6Vf/Hhfiw8Et Gee8IMO7GXlFJO/rmojiR1M= X-Received: by 2002:adf:ea06:: with SMTP id q6mr5891373wrm.34.1619533563597; Tue, 27 Apr 2021 07:26:03 -0700 (PDT) Received: from agape.jhs ([5.171.81.92]) by smtp.gmail.com with ESMTPSA id d5sm4182448wrv.43.2021.04.27.07.26.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 27 Apr 2021 07:26:03 -0700 (PDT) Date: Tue, 27 Apr 2021 16:26:00 +0200 From: Fabio Aiuto To: Lv Yunlong Cc: rspringer@google.com, toddpoynor@google.com, benchan@chromium.org, rcy@google.com, gregkh@linuxfoundation.org, linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org Subject: Re: [PATCH] Staging:gasket:core: Fix a double free in gasket_enable_device Message-ID: <20210427142559.GD1399@agape.jhs> References: <20210427141129.6207-1-lyl2019@mail.ustc.edu.cn> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210427141129.6207-1-lyl2019@mail.ustc.edu.cn> User-Agent: Mutt/1.10.1 (2018-07-13) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Lv, I fear gasket is no more on staging tree, I think it's no more on kernel. Try fetch again from remote. On Tue, Apr 27, 2021 at 07:11:29AM -0700, Lv Yunlong wrote: > In gasket_enable_device, it calls gasket_interrupt_init(). > Inside gasket_interrupt_init, interrupt_data is allocated via > kzalloc() and then is assigned to gasket_dev->interrupt_data. > If the later two kzalloc() failed, interrupt_data will be freed > and gasket_dev->interrupt_data will point to a freed memory. > > After gasket_enable_device received the error, the freed > gasket_dev->interrupt_data is freed again in > gasket_interrupt_cleanup(gasket_dev). > > My patch moves the "gasket_dev->interrupt_data = interrupt_data" > assignment behind the later kzalloc() all successd, to avoid > gasket_dev->interrupt_data pointing to a freed memory > > Fixes: 80666096eb78f ("staging: gasket: core: remove static function forward declarations") > Signed-off-by: Lv Yunlong > --- > drivers/staging/gasket/gasket_interrupt.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/staging/gasket/gasket_interrupt.c b/drivers/staging/gasket/gasket_interrupt.c > index 864342acfd86..d4993d7abb87 100644 > --- a/drivers/staging/gasket/gasket_interrupt.c > +++ b/drivers/staging/gasket/gasket_interrupt.c > @@ -322,7 +322,6 @@ int gasket_interrupt_init(struct gasket_dev *gasket_dev) > interrupt_data = kzalloc(sizeof(*interrupt_data), GFP_KERNEL); > if (!interrupt_data) > return -ENOMEM; > - gasket_dev->interrupt_data = interrupt_data; > interrupt_data->name = driver_desc->name; > interrupt_data->type = driver_desc->interrupt_type; > interrupt_data->pci_dev = gasket_dev->pci_dev; > @@ -349,6 +348,8 @@ int gasket_interrupt_init(struct gasket_dev *gasket_dev) > return -ENOMEM; > } > > + gasket_dev->interrupt_data = interrupt_data; > + > switch (interrupt_data->type) { > case PCI_MSIX: > ret = gasket_interrupt_msix_init(interrupt_data); > -- > 2.25.1 > > > thank you, fabio