Re: [PATCH] nvmem: core: Fix a potential use after free

From: Srinivas Kandagatla
Date: Mon Jan 06 2020 - 07:35:36 EST

Next message: Andrew Murray: "Re: [PATCH v4 2/6] PCI: iproc: Add INTx support with better modeling"
Previous message: Greg Kroah-Hartman: "Re: [PATCH] mmc: tegra: fix SDR50 tuning override"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Thanks for the patch.

On 27/12/2019 09:20, Xu Wang wrote:

Free the nvmem structure only after we are done using it.
This patch just moves the put_device() down a bit to avoid the
use after free.

Could you explain the issue bit more here on what exactly could go wrong with the exiting order?
may be the stack trace of the use-after-free case? Or steps to reproduce the issue?

nvmem device is protected with kref.

--srini

Signed-off-by: Xu Wang <vulab@xxxxxxxxxxx>
---
drivers/nvmem/core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/nvmem/core.c b/drivers/nvmem/core.c
index 9f1ee9c..7051d34 100644
--- a/drivers/nvmem/core.c
+++ b/drivers/nvmem/core.c
@@ -535,8 +535,8 @@ static struct nvmem_device *__nvmem_device_get(void *data,
static void __nvmem_device_put(struct nvmem_device *nvmem)
{
- put_device(&nvmem->dev);
module_put(nvmem->owner);
+ put_device(&nvmem->dev);
kref_put(&nvmem->refcnt, nvmem_device_release);
}

Next message: Andrew Murray: "Re: [PATCH v4 2/6] PCI: iproc: Add INTx support with better modeling"
Previous message: Greg Kroah-Hartman: "Re: [PATCH] mmc: tegra: fix SDR50 tuning override"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]