Re: [PATCH 4.4 74/76] serial: 8250_pci: Detach low-level driver during PCI error recovery

From: Ben Hutchings
Date: Tue Apr 04 2017 - 16:27:02 EST

Next message: Max Filippov: "Re: [RFC][CFT][PATCHSET v1] uaccess unification"
Previous message: sathyanarayanan kuppuswamy: "Re: [PATCH v4 2/5] platform/x86: intel_pmc_ipc: Add pmc gcr read/write/update api's"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 2017-03-28 at 14:31 +0200, Greg Kroah-Hartman wrote:
[...]
> static void serial8250_io_resume(struct pci_dev *dev)
> {
> struct serial_private *priv = pci_get_drvdata(dev);
> + const struct pciserial_board *board;
>
> - if (priv)
> - pciserial_resume_ports(priv);
> + if (!priv)
> + return;
> +
> + board = priv->board;
> + kfree(priv);
> + priv = pciserial_init_ports(dev, board);
> +
> + if (!IS_ERR(priv)) {
> + pci_set_drvdata(dev, priv);
> + }
> }

On error, this leaves drvdata as a dangling pointer. Removing the
device or driver will then cause a use-after-free. (And setting drvdata
to NULL isn't enough to fix this as there is no null pointer check in
pciserial_remove_ports().)

Ben.

--
Ben Hutchings
Software Developer, Codethink Ltd.

Next message: Max Filippov: "Re: [RFC][CFT][PATCHSET v1] uaccess unification"
Previous message: sathyanarayanan kuppuswamy: "Re: [PATCH v4 2/5] platform/x86: intel_pmc_ipc: Add pmc gcr read/write/update api's"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]