Mon, Feb 24, 2025 at 05:47:04PM +0100, jiashengjiangcool@gmail.com wrote:
Hi Jiri,
On Mon, Feb 24, 2025 at 7:04 AM Jiri Pirko jiri@resnulli.us wrote:
Mon, Feb 24, 2025 at 10:31:27AM +0100, arkadiusz.kubalewski@intel.com wrote:
Hi Jiasheng, many thanks for the patch!
From: Jiasheng Jiang jiashengjiangcool@gmail.com Sent: Sunday, February 23, 2025 9:17 PM
When src->freq_supported is not NULL but src->freq_supported_num is 0, dst->freq_supported is equal to src->freq_supported. In this case, if the subsequent kstrdup() fails, src->freq_supported may
The src->freq_supported is not being freed in this function, you ment dst->freq_supported? But also it is not true. dst->freq_supported is being freed already, this patch adds only additional condition over it.. From kfree doc: "If @object is NULL, no operation is performed.".
be freed without being set to NULL, potentially leading to a use-after-free or double-free error.
kfree does not set to NULL from what I know. How would it lead to use-after-free/double-free? Why the one would use the memory after the function returns -ENOMEM?
I don't think this patch is needed or resolves anything.
I'm sure it's not needed.
After "memcpy(dst, src, sizeof(*dst))", dst->freq_supported will point to the same memory as src->freq_supported. When src->freq_supported is not NULL but src->freq_supported_num is 0, dst->freq_supported still points to the same memory as src->freq_supported. Then, if the subsequent kstrdup() fails, dst->freq_supported is freed, and src->freq_supported becomes a Dangling Pointer, potentially leading to a use-after-free or double-free error.
Okay. This condition should not happen, driver is broken in that case. Better add an assertion for it.
-Jiasheng
Thank you! Arkadiusz
Fixes: 830ead5fb0c5 ("dpll: fix pin dump crash for rebound module") Cc: stable@vger.kernel.org # v6.8+ Signed-off-by: Jiasheng Jiang jiashengjiangcool@gmail.com
drivers/dpll/dpll_core.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/dpll/dpll_core.c b/drivers/dpll/dpll_core.c index 32019dc33cca..7d147adf8455 100644 --- a/drivers/dpll/dpll_core.c +++ b/drivers/dpll/dpll_core.c @@ -475,7 +475,8 @@ static int dpll_pin_prop_dup(const struct dpll_pin_properties *src, err_panel_label: kfree(dst->board_label); err_board_label:
kfree(dst->freq_supported);
if (src->freq_supported_num)kfree(dst->freq_supported);}
-- 2.25.1