Re: [GIT PULL 1/3] stm class: Fix a use-after-free

From: Alexander Shishkin
Date: Fri Sep 22 2017 - 05:06:36 EST


Greg KH <greg@xxxxxxxxx> writes:

> On Tue, Sep 19, 2017 at 06:47:40PM +0300, Alexander Shishkin wrote:
>> For reasons unknown, the stm_source removal path uses device_destroy()
>> to kill the underlying device object. Because device_destroy() uses
>> devt to look for the device to destroy and the fact that stm_source
>> devices don't have one (or all have the same one), it just picks the
>> first device in the class, which may well be the wrong one.
>>
>> That is, loading stm_console and stm_heartbeat and then removing both
>> will die in dereferencing a freed object.
>>
>> Since this should have been device_unregister() in the first place,
>> use it instead of device_destroy().
>>
>> Signed-off-by: Alexander Shishkin <alexander.shishkin@xxxxxxxxxxxxxxx>
>> Fixes: 7bd1d4093c2 ("stm class: Introduce an abstraction for System Trace Module devices")
>> Cc: stable@xxxxxxxxxxxxxxx
>> ---
>> drivers/hwtracing/stm/core.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> Ugh, I just applied these as patches, and didn't do the git pull, sorry
> about that, my fault.

No worries, I'm fine either way.

> But really, patches for short series are really easy for me to do...

Sure, that's one reason why I sent it like that, so you get to choose.

Thanks,
--
Alex