Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp2827037pxb; Mon, 1 Nov 2021 02:38:36 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzUhc5ATsSXyVPh3VZeM5e5h2xEaV8BT2Sn+t229l8RE/OkExEccYDSPG8nfCfj/Hbk2EEK X-Received: by 2002:a17:907:96a3:: with SMTP id hd35mr34495848ejc.222.1635759516008; Mon, 01 Nov 2021 02:38:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635759516; cv=none; d=google.com; s=arc-20160816; b=HOtM0Y5tX/NJx/Ri4Wq20LitbLR9M+zICElvioSHRWsYZtRsf6yJM7wc6pxGr+gqPk 5gI5m6y0T7sayEkreycDIHJ4KGD68iNfe8ITYi6SHH1g3J+sgi9IjqpX5y/ao82B7pE0 jn5TDHvXiKg9e7BBlvNCVTKy7uijMtSSzE/jefYQ8uz7M0u0MuyqHLnLsISKbuFNYLYz 8YdWgrzjV8YU2wxIqLi+PomoeX5isSxWGM+YOD+1rqLg/zjS19YduQ8TCwn+TCszP8li oyYrcbjTHkHRNcfbo2fniHpflD7aih4QyWNgbfBih8sP2SE7CXpzUCfR6/0qUKPCRcJt SKMA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=GZaS7yN1+IVFskaFMrtaX1hIqzOQE15Vi9h/YRe7gN8=; b=kWN3LApwJAFs5psQbYoqfjaXRGqUjtBGA7Nnt6py2hyJD6IpwGDnPq7jeL8PrSnSLG 1oS4z1AkrxWbnLh3kQAtVT9BsCqIGxDZSTjoivKPrRv1u9ioGqNq5ixUciatTvBTwM5T pJAt7pnfmr7G0/6uBBdDTz6p3vzFv2UhZdLgp/z+DEok2kYQlTW27roRIH7nCJki5v5c QEgwpmKD5oBvhiyyubrjh9aQyEytTRz11r2mAWkP3RnofcXr+gZlSKsGjwI3fYZlcXtn WltG/JBIPCmwf0Werx1E1XcyFq2Q62wt8oifLlWHDrh3l7t9YDuRJzFYkrLf42aJvJQU O9Gw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=akbfDeev; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id o15si24573900edi.471.2021.11.01.02.38.12; Mon, 01 Nov 2021 02:38:36 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=akbfDeev; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232461AbhKAJix (ORCPT + 99 others); Mon, 1 Nov 2021 05:38:53 -0400 Received: from mail.kernel.org ([198.145.29.99]:43594 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233199AbhKAJfr (ORCPT ); Mon, 1 Nov 2021 05:35:47 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 5FD4D610CC; Mon, 1 Nov 2021 09:26:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1635758760; bh=MrlPpx7DvVJXpmBB1vpvxboB4PpqCFjyFXwqMbtxq5o=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=akbfDeev8zdwsYv0ALyQcgv/C8oPrDfMQp7jNe2eNqpLu0pII6E3IVr3OOFoI4pON PE0oVeN6A2HacH9le1TsCGqVzdRGww9MScM453jrc6FpYZ5ZWWl4Yfbp1F0NBIQdW6 eIllW/c2Tmj3MgWOE/PXARnYiZRccI6yfUCI/PhY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Hulk Robot , Yang Yingliang , Mark Brown Subject: [PATCH 5.10 48/77] regmap: Fix possible double-free in regcache_rbtree_exit() Date: Mon, 1 Nov 2021 10:17:36 +0100 Message-Id: <20211101082521.877125303@linuxfoundation.org> X-Mailer: git-send-email 2.33.1 In-Reply-To: <20211101082511.254155853@linuxfoundation.org> References: <20211101082511.254155853@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Yang Yingliang commit 55e6d8037805b3400096d621091dfbf713f97e83 upstream. In regcache_rbtree_insert_to_block(), when 'present' realloc failed, the 'blk' which is supposed to assign to 'rbnode->block' will be freed, so 'rbnode->block' points a freed memory, in the error handling path of regcache_rbtree_init(), 'rbnode->block' will be freed again in regcache_rbtree_exit(), KASAN will report double-free as follows: BUG: KASAN: double-free or invalid-free in kfree+0xce/0x390 Call Trace: slab_free_freelist_hook+0x10d/0x240 kfree+0xce/0x390 regcache_rbtree_exit+0x15d/0x1a0 regcache_rbtree_init+0x224/0x2c0 regcache_init+0x88d/0x1310 __regmap_init+0x3151/0x4a80 __devm_regmap_init+0x7d/0x100 madera_spi_probe+0x10f/0x333 [madera_spi] spi_probe+0x183/0x210 really_probe+0x285/0xc30 To fix this, moving up the assignment of rbnode->block to immediately after the reallocation has succeeded so that the data structure stays valid even if the second reallocation fails. Reported-by: Hulk Robot Fixes: 3f4ff561bc88b ("regmap: rbtree: Make cache_present bitmap per node") Signed-off-by: Yang Yingliang Link: https://lore.kernel.org/r/20211012023735.1632786-1-yangyingliang@huawei.com Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman --- drivers/base/regmap/regcache-rbtree.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) --- a/drivers/base/regmap/regcache-rbtree.c +++ b/drivers/base/regmap/regcache-rbtree.c @@ -281,14 +281,14 @@ static int regcache_rbtree_insert_to_blo if (!blk) return -ENOMEM; + rbnode->block = blk; + if (BITS_TO_LONGS(blklen) > BITS_TO_LONGS(rbnode->blklen)) { present = krealloc(rbnode->cache_present, BITS_TO_LONGS(blklen) * sizeof(*present), GFP_KERNEL); - if (!present) { - kfree(blk); + if (!present) return -ENOMEM; - } memset(present + BITS_TO_LONGS(rbnode->blklen), 0, (BITS_TO_LONGS(blklen) - BITS_TO_LONGS(rbnode->blklen)) @@ -305,7 +305,6 @@ static int regcache_rbtree_insert_to_blo } /* update the rbnode block, its size and the base register */ - rbnode->block = blk; rbnode->blklen = blklen; rbnode->base_reg = base_reg; rbnode->cache_present = present;