Received: by 2002:a05:6a10:6d10:0:0:0:0 with SMTP id gq16csp900230pxb; Fri, 22 Apr 2022 13:49:14 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwI7XuXX2qdOd4IALKKWZyGaU82+bBGTnSFH5Z8QIYVHCRTKZ9dU5VgtNmICr27i4Rdz10f X-Received: by 2002:a05:6a00:1152:b0:4be:ab79:fcfa with SMTP id b18-20020a056a00115200b004beab79fcfamr6786165pfm.3.1650660554638; Fri, 22 Apr 2022 13:49:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1650660554; cv=none; d=google.com; s=arc-20160816; b=mK9SgbnoJT88rWzRF540AD3DL2dSjd1rRRy2LCFtCw1ufn73SnvDubEG5kuMuqEkoc oKzmyhUt7yl1gSGnkfP0QRpsUOUQENeseWWi6C5s6mbofDfR7puN2hFsSd7/SL1SB+lt Us4XVl23vbq6a50MHRP7YfIUZtscmlYj8j3ZSnowU/+913NpWg0eF/JXoPzTNKwna/e6 8+ywKZ73KWtFc6vKdq6M3w8SizX2040APDB3YNqjymGpeUkj6DFP+HU5j+kEO4N0+nET m/ZRtPPNDa1XBxL48L2FnGZlhPSmquS/T2Ng1ENqti7hkXg/gN+iuvTDD+S0KOmnhA4e BJBQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:message-id:date:references :in-reply-to:subject:cc:to:from:dkim-signature; bh=v8NPrOoUSmPygCfnqB/rFEsanu07lIk8aZKOXiSsbt4=; b=ufkNz5voeQ0OqHofg+3iAYPXaDtuJP/FG0EbjOX43IjBg6ghwex/DRWvc2CvSpn2Eq VR4XDr1ngTILBtpDcGMwxtiLLBpcUOoI5WHXZS0njDHgXVOd0Q/F9+mnmaZ74OzlGt0Y LtZiMHI+fVauREBKpILRCvhUltAzWBkY3wz9gQWys0kM4+5xvNF5OnZ+cavdxmbalNJM EeyCIbCN3JWWGRLqRwEomfK/dvSIDYSD6NE7gSyC0ztZ1QWbop2WSwUnEvwOwf3LK/2o osGW56rO/aXYCjp2qvzFt08/s060O7lhiPPwQfJXVjw/DWrvkKx2oYDYLP0Wb+JKuQbW Dr8w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ellerman.id.au header.s=201909 header.b=DlL98Qmm; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id u21-20020a056a00159500b004fa895878afsi9852506pfk.254.2022.04.22.13.49.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 22 Apr 2022 13:49:14 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@ellerman.id.au header.s=201909 header.b=DlL98Qmm; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 7C5AD1F46E8; Fri, 22 Apr 2022 12:39:10 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1446111AbiDVJjn (ORCPT + 99 others); Fri, 22 Apr 2022 05:39:43 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54726 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1446109AbiDVJjh (ORCPT ); Fri, 22 Apr 2022 05:39:37 -0400 Received: from gandalf.ozlabs.org (gandalf.ozlabs.org [150.107.74.76]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 70B825372D for ; Fri, 22 Apr 2022 02:36:45 -0700 (PDT) Received: from authenticated.ozlabs.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail.ozlabs.org (Postfix) with ESMTPSA id 4Kl8SC4PFHz4xXS; Fri, 22 Apr 2022 19:36:43 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ellerman.id.au; s=201909; t=1650620204; bh=v8NPrOoUSmPygCfnqB/rFEsanu07lIk8aZKOXiSsbt4=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From; b=DlL98QmmptAtyh/xohLggJENxp9wwXou1VWdZAcucdyXzO1702WBukr6pGy0rQSGO mT66LivgC+ke1qqnkrgu4MLvD6ci5QkR7u0DCDqkv0BxztDdwh5mKf4qXMXJ8LRrrZ fjAOAhjDmLP4k4Os6y+9F4+PijETVEEPXCPD8odTa0vD6rV7D9Ab3aQDX4D+5KRK+D WDvb4mcVQO+B21vv0cMiu9YzYhyj2jyaaEwHGxkD19uQEpoVdMiIxrh7Q2t9hkOR75 YbzRFluEjjaZUS3+vNHolMNWKZ+DW3n63ducNzg2fYuoplBI8rYvb34DLAHeMApBYz +XNo4dlWY6Dag== From: Michael Ellerman To: Frederic Barrat , Hangyu Hua , ajd@linux.ibm.com, arnd@arndb.de, gregkh@linuxfoundation.org, alastair@d-silva.org Cc: linuxppc-dev@lists.ozlabs.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] misc: ocxl: fix possible double free in ocxl_file_register_afu In-Reply-To: References: <20220418085758.38145-1-hbh25y@gmail.com> <87czhbfjsj.fsf@mpe.ellerman.id.au> Date: Fri, 22 Apr 2022 19:36:43 +1000 Message-ID: <87tual8no4.fsf@mpe.ellerman.id.au> MIME-Version: 1.0 Content-Type: text/plain X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Frederic Barrat writes: > On 21/04/2022 00:54, Michael Ellerman wrote: >> Hangyu Hua writes: >>> info_release() will be called in device_unregister() when info->dev's >>> reference count is 0. So there is no need to call ocxl_afu_put() and >>> kfree() again. >> >> Double frees are often exploitable. But it looks to me like this error >> path is not easily reachable by an attacker. >> >> ocxl_file_register_afu() is only called from ocxl_probe(), and we only >> go to err_unregister if the sysfs or cdev initialisation fails, which >> should only happen if we hit ENOMEM, or we have a duplicate device which >> would be a device-tree/hardware error. But maybe Fred can check more >> closely, I don't know the driver that well. > > The linux devices built here are based on what is parsed on the physical > devices. Those could be FPGAs but updating the FPGA image requires root > privilege. In any case, duplicate AFU names are possible, that's why the > driver adds an index (the afu->config.idx part of the name) to the linux > device name. So we would need to mess that up in the driver as well to > have a duplicate device name. > So I would agree the double free is hard to hit. Thanks for confirming. > mpe: I think this patch can be taken as is. The "beautification" I > talked about is just that and I don't intend to work on it except if > something else shows up. OK, will pick this up. cheers