[PATCH 2/2] device property: fix for a case of use-after-free

From: Heikki Krogerus
Date: Mon Feb 22 2016 - 09:50:56 EST

Next message: Heikki Krogerus: "[PATCH 0/2] device property: fix for couple of bugs"
Previous message: Heikki Krogerus: "[PATCH 1/2] device property: fwnode->secondary may contain ERR_PTR(-ENODEV)"
In reply to: Heikki Krogerus: "[PATCH 1/2] device property: fwnode->secondary may contain ERR_PTR(-ENODEV)"
Next in thread: Andy Shevchenko: "Re: [PATCH 2/2] device property: fix for a case of use-after-free"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In device_remove_property_set(), if the primary fwnode is
of type "pset", it has to be set pointing to NULL before
calling set_secondary_fwnode(). Otherwise
set_secondary_fwnode() will attempt to set the
fwnode->secondary member after the fwnode has been freed.

Reported-by: John Youn <John.Youn@xxxxxxxxxxxx>
Signed-off-by: Heikki Krogerus <heikki.krogerus@xxxxxxxxxxxxxxx>
---
drivers/base/property.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/base/property.c b/drivers/base/property.c
index a163f2c..ddf2987 100644
--- a/drivers/base/property.c
+++ b/drivers/base/property.c
@@ -820,7 +820,9 @@ void device_remove_property_set(struct device *dev)
* the pset. If there is no real firmware node (ACPI/DT) primary
* will hold the pset.
*/
- if (!is_pset_node(fwnode))
+ if (is_pset_node(fwnode))
+ dev->fwnode = NULL;
+ else
fwnode = fwnode->secondary;
if (!IS_ERR(fwnode) && is_pset_node(fwnode))
pset_free_set(to_pset_node(fwnode));
--
2.7.0

Next message: Heikki Krogerus: "[PATCH 0/2] device property: fix for couple of bugs"
Previous message: Heikki Krogerus: "[PATCH 1/2] device property: fwnode->secondary may contain ERR_PTR(-ENODEV)"
In reply to: Heikki Krogerus: "[PATCH 1/2] device property: fwnode->secondary may contain ERR_PTR(-ENODEV)"
Next in thread: Andy Shevchenko: "Re: [PATCH 2/2] device property: fix for a case of use-after-free"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]