Received: by 2002:a05:6358:5282:b0:b5:90e7:25cb with SMTP id g2csp1016544rwa; Sat, 20 Aug 2022 22:02:23 -0700 (PDT) X-Google-Smtp-Source: AA6agR4QGEHSauk2RUKwYdtx9JDjmiTnjc1PhfwmcQlZbpR6c42yQNrICD/vAVGW77oZqVWJU30C X-Received: by 2002:a05:6a00:1907:b0:534:f847:b495 with SMTP id y7-20020a056a00190700b00534f847b495mr15184619pfi.47.1661058143493; Sat, 20 Aug 2022 22:02:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1661058143; cv=none; d=google.com; s=arc-20160816; b=iOdFNp1yundBe4rLMjsLPNZaQE75WMB8IuzQqZfK1hjfrcjsQAUbmFreYaforXboxv Wt9oM16WDQV9sZr6yAb+x2ZepwbU/5YbCkEXwEiCQiNHuBUa+P/aI/OUubEBa9C97x3Y tomG7PdVPery2Q9FYJYMMlGBTa/+iGuWxvS2IyqPq8Q5SBdtndr7+0iGu040G1aeQJky Bi/zAW8F9WuOPy4jhU9GHOUsjVijhyWNyrr8ms8BPG9KIxY9eAQ7T/LhmW8jp6WJ90fP BzEfu/hZAjgp0zIc6UFEfUpasATX2xFU2I4y8+74fiLdkcJoTLtzl6qvUzPWbmikfbVX PLHg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=DoP5D0q5uq10qPqKZyI8ZyeoJp/Fm4FVEA1pggc97RE=; b=haKY9IL+hvkr/5sm+MlBl+w4Dy94UwDvNgpIt8uQYFJJXWveFMz5UQTIs+n78omk4z us/oWWXmeheHNB09BRtvWwUbpbZkBSFprRT+eC8S+JWvyvrDY1OlfqsK16tD8AZZMwa9 s2jaO+iqJ4dhdm8VL1ivcL9rL7mstU3d/y7MCAfYcyaaWX94lrqOmKvNuDJbC93lMr7V zAPoaY54jcO7BQmfDAJoSU2AXm6oCUajOT0hHkPb1G2ExPQGYh3m0rX+EYMusl5gsI57 K65SrX1y6fS8TN0r7B67e88Ag+sPvGEMMGc7d0GdvpV57DSlWt18y+Xc5X8g/uK7fnio mYlw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=myAtWZPR; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id b4-20020a17090a488400b001faf9ba369fsi4395369pjh.164.2022.08.20.22.02.02; Sat, 20 Aug 2022 22:02:23 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=myAtWZPR; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229622AbiHUEv7 (ORCPT + 99 others); Sun, 21 Aug 2022 00:51:59 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60986 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229379AbiHUEv6 (ORCPT ); Sun, 21 Aug 2022 00:51:58 -0400 Received: from mail-pl1-x62b.google.com (mail-pl1-x62b.google.com [IPv6:2607:f8b0:4864:20::62b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id ADE731EAEC for ; Sat, 20 Aug 2022 21:51:57 -0700 (PDT) Received: by mail-pl1-x62b.google.com with SMTP id m2so7277624pls.4 for ; Sat, 20 Aug 2022 21:51:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:from:to :cc; bh=DoP5D0q5uq10qPqKZyI8ZyeoJp/Fm4FVEA1pggc97RE=; b=myAtWZPR3n2L5a2uXfJkMWGR1ztcMZm5w845T3S6uVau8vS/bEloJxXmvk6cvOi/3Y E19RlwtXTNJft6W4h+x1f7xelNtq42/Y4bOagZ+HJsxvIw+xW2YEgCZUzDCeN6Og8GWv 1Z0qv42RbhuhUL0E7okkfc9i8muWpJQdIPbfH7FPZPWbPRSFqQzNRpMfxTaPX8lfitzB sKqE2X1LnQFKNp/pM/j3ZitgA1TmaM5JmfNklWdaY+0x7Llktl4uKmsPWmd6zm/VvSlF uG8OCYBDRf051vU4P/4DmgFkeMmqIYqKYNyYdRZ2OwzJjc+sOyuu+T5H1HKAnzaS6C09 CJ9w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :x-gm-message-state:from:to:cc; bh=DoP5D0q5uq10qPqKZyI8ZyeoJp/Fm4FVEA1pggc97RE=; b=HRNv1/voWtIL/FFlexsPEfjQQbPHDovg2zBwGNqNgUwWMtC12vb/lcTXH5JXw4LZtf W7/8Vl07F5uUyNccdxevv5l5s0O7wTmNbhau/UqZHoy3bRrnfoWHUFfnVVImj9xO196s 3NL45n3UGAGRp6funVMHYNF5+lE9AinX3/PLs6vZnc9qWe684f6H0ZN93k4HxOXbbC9Q jju42xv2f2OiIh7VBESOjsN3dNAnUt6s/O/e64vlTMd38ERSf5WwV7Cg1ZS2ZZhDJUYq my5in4hD74b6Zbp1V6ysxKJ6R/FBqMRR/DOO/s8dU90F840jJSl90IwdBEYmFEwzl2ca rP8Q== X-Gm-Message-State: ACgBeo2sZ2Qsitqva8EUXq5dmNB1lFgZWM0X7ifLVKWaCKxfVsSXLToY BAxRmGvtoUQ2f6F8AyivYos= X-Received: by 2002:a17:90a:c402:b0:1f7:75ce:1206 with SMTP id i2-20020a17090ac40200b001f775ce1206mr16667833pjt.68.1661057516936; Sat, 20 Aug 2022 21:51:56 -0700 (PDT) Received: from google.com ([2620:15c:202:201:2c40:97f7:f170:cdca]) by smtp.gmail.com with ESMTPSA id n126-20020a622784000000b0053291ddd8e5sm3633772pfn.40.2022.08.20.21.51.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 20 Aug 2022 21:51:56 -0700 (PDT) Date: Sat, 20 Aug 2022 21:51:53 -0700 From: Dmitry Torokhov To: Rustam Subkhankulov Cc: Tzung-Bi Shih , Benson Leung , chrome-platform@lists.linux.dev, linux-kernel@vger.kernel.org, Alexey Khoroshilov , ldv-project@linuxtesting.org Subject: Re: [PATCH] platform/chrome: fix double-free in chromeos_laptop_prepare() Message-ID: References: <20220813220843.2373004-1-subkhankulov@ispras.ru> <7d4dd8009a777a7d32f4872dc0285878dbbb91b8.camel@ispras.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <7d4dd8009a777a7d32f4872dc0285878dbbb91b8.camel@ispras.ru> X-Spam-Status: No, score=1.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,FSL_HELO_FAKE, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Level: * X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Aug 20, 2022 at 08:05:13PM +0300, Rustam Subkhankulov wrote: > On Mon, 2022-08-15 at 05:00 +0000, Tzung-Bi Shih wrote: > > Alternatively, I would prefer to fix the double-free by setting > > `i2c_peripherals` to NULL after [1]. > > Since 'cros_laptop->num_i2c_peripherals' is assigned with nonzero value > (otherwise the code on 'err_out' is not executed), setting > 'i2c_peripherals' to NULL after [1] will cause dereferencing of > NULL pointer in chromeos_laptop_destroy() at [2]. > > [1]: > https://elixir.bootlin.com/linux/v5.19/source/drivers/platform/chrome/chromeos_laptop.c#L787 > [2]: > https://elixir.bootlin.com/linux/v5.19/source/drivers/platform/chrome/chromeos_laptop.c#L860 > > > After a quick glance, I found an invalid memory access at [2] if > > `i2c_peripherals` is NULL (see [3]).? > > After applying the patch, there will be no invalid memory access at [2] > if 'i2c_peripherals' is NULL, because in this situation > 'cros_laptop->num_i2c_peripherals' is zero and there is no single > iteration of the loop. Yes, we should either reset both cros_laptop->i2c_peripherals and cros_laptop->num_i2c_peripherals on error, or avoid setting them until we are sure that we are not getting an error. I think prefer the latter. Reviewed-by: Dmitry Torokhov Thanks. -- Dmitry