Received: by 2002:a05:6359:c8b:b0:c7:702f:21d4 with SMTP id go11csp557105rwb; Fri, 7 Oct 2022 00:27:37 -0700 (PDT) X-Google-Smtp-Source: AMsMyM68SZwCEbv0p6HPTFgYSmYP551HbWKrGGzTu6AaJuge8XJd80uiatBRL2AtZtGFLq4h0nJg X-Received: by 2002:a17:902:f602:b0:178:9818:48a4 with SMTP id n2-20020a170902f60200b00178981848a4mr3438801plg.148.1665127657523; Fri, 07 Oct 2022 00:27:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1665127657; cv=none; d=google.com; s=arc-20160816; b=C0OE1tnZT0segFJ74n8g6O1qqb++raeI0vjTu2uHWdsdKAk8+hS4zm7MwBVi1Y3qLW Lhr4kvTw7UWOI4m4qF0Ws3kMqDkwqxLfvY6Z5eqjiXg+zxRbrtK2nb5AwmN5QXCcu+qT 3VFTH7Gdcc7fynrbl170c9pCErV5+oeforKh6zfJrgELz/oncqnjH+JfnIMavjEa6X+q /FpYaBxMoRxDiZf6MAtEZhz7ZrS89sPPQDmOWSSBLqNmmRPLk5AgmXI8btTB5u4sFw7m 4gDtADig25QK+QcMY1XQAiBvrLkBVw4rvsVtykPq7ok/DvtlPAl1D2SdCBwEl/9ju+mr 1zpg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=VAADmrl2+QR4c0tG8kSuclMPS7hx3cDGdj3U5rv0hZQ=; b=0kxb7NHTkg8wnWUA0CyNmAA62i7/CY0qRsoXe0h6p7o6yd9HTiwxCByMI8ik49GfKY WZPRr7Qn3rD6qv+MYJFSJ2aGkR7CQdOwgk1DWrQxIPUv+VWBv5/haQ49rygfd99+odgx 6sbLhCbH12WKOOiK5WJpseATxMozKYnrSUHGW7RSSzXr61PBpkp3cYqXbHASNZoiUG/y pyHBiuJndr6761d1NiUZgdtOCDjUQTuTI1RqZ8Y1/2zITErr8wmFZFaL1fZrG4PbUz0/ 3daUBg9YnYJvUkh5vqSj/7Gg9OpQ0IeV0qN7lpCD9BdwOvJnd3qrT7rQvXomvZExfn0o lAgg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id w22-20020a170902a71600b0017cca111726si1377747plq.432.2022.10.07.00.27.23; Fri, 07 Oct 2022 00:27:37 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229832AbiJGHHn (ORCPT + 99 others); Fri, 7 Oct 2022 03:07:43 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57932 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229817AbiJGHHj (ORCPT ); Fri, 7 Oct 2022 03:07:39 -0400 Received: from metis.ext.pengutronix.de (metis.ext.pengutronix.de [IPv6:2001:67c:670:201:290:27ff:fe1d:cc33]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 60232A8CFE for ; Fri, 7 Oct 2022 00:07:38 -0700 (PDT) Received: from ptx.hi.pengutronix.de ([2001:67c:670:100:1d::c0]) by metis.ext.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1oghSJ-00025J-Rl; Fri, 07 Oct 2022 09:07:35 +0200 Received: from sha by ptx.hi.pengutronix.de with local (Exim 4.92) (envelope-from ) id 1oghSJ-0007h8-I6; Fri, 07 Oct 2022 09:07:35 +0200 Date: Fri, 7 Oct 2022 09:07:35 +0200 From: Sascha Hauer To: linux-pci@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Bjorn Helgaas , stable@vger.kernel.org Subject: Re: [PATCH] PCI/sysfs: Fix double free in error path Message-ID: <20221007070735.GX986@pengutronix.de> References: <20221007065618.2169880-1-s.hauer@pengutronix.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20221007065618.2169880-1-s.hauer@pengutronix.de> X-Sent-From: Pengutronix Hildesheim X-URL: http://www.pengutronix.de/ X-Accept-Language: de,en X-Accept-Content-Type: text/plain User-Agent: Mutt/1.10.1 (2018-07-13) X-SA-Exim-Connect-IP: 2001:67c:670:100:1d::c0 X-SA-Exim-Mail-From: sha@pengutronix.de X-SA-Exim-Scanned: No (on metis.ext.pengutronix.de); SAEximRunCond expanded to false X-PTX-Original-Recipient: linux-kernel@vger.kernel.org X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Oct 07, 2022 at 08:56:18AM +0200, Sascha Hauer wrote: > When pci_create_attr() fails then pci_remove_resource_files() is called > which will iterate over the res_attr[_wc] arrays and frees every non > NULL entry. To avoid a double free here we have to set the failed entry > to NULL in pci_create_attr() when freeing it. > You might consider applying this alternative version instead which IMO looks a bit better. Sascha -------------------------------8<----------------------------- From fe8e0e6f914c14395c751b7dc165967b12427995 Mon Sep 17 00:00:00 2001 From: Sascha Hauer Date: Fri, 7 Oct 2022 07:35:35 +0200 Subject: [PATCH] PCI/sysfs: Fix double free in error path When pci_create_attr() fails then pci_remove_resource_files() is called which will iterate over the res_attr[_wc] arrays and frees every non NULL entry. To avoid a double free here set the array entry only after it's clear we successfully initialized it. Fixes: b562ec8f74e4 ("PCI: Don't leak memory if sysfs_create_bin_file() fails") Signed-off-by: Sascha Hauer Cc: --- drivers/pci/pci-sysfs.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c index fc804e08e3cb5..6dd4050c9f2ed 100644 --- a/drivers/pci/pci-sysfs.c +++ b/drivers/pci/pci-sysfs.c @@ -1174,11 +1174,9 @@ static int pci_create_attr(struct pci_dev *pdev, int num, int write_combine) sysfs_bin_attr_init(res_attr); if (write_combine) { - pdev->res_attr_wc[num] = res_attr; sprintf(res_attr_name, "resource%d_wc", num); res_attr->mmap = pci_mmap_resource_wc; } else { - pdev->res_attr[num] = res_attr; sprintf(res_attr_name, "resource%d", num); if (pci_resource_flags(pdev, num) & IORESOURCE_IO) { res_attr->read = pci_read_resource_io; @@ -1196,10 +1194,17 @@ static int pci_create_attr(struct pci_dev *pdev, int num, int write_combine) res_attr->size = pci_resource_len(pdev, num); res_attr->private = (void *)(unsigned long)num; retval = sysfs_create_bin_file(&pdev->dev.kobj, res_attr); - if (retval) + if (retval) { kfree(res_attr); + return retval; + } + + if (write_combine) + pdev->res_attr_wc[num] = res_attr; + else + pdev->res_attr[num] = res_attr; - return retval; + return 0; } /** -- 2.30.2 -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |