Re: [PATCH 5.10 191/717] memstick: fix a double-free bug in memstick_check

29 Dec 2020


      Hi!
...
From: Qinglang Miao miaoqinglang@huawei.com
[ Upstream commit e3e9ced5c93803d5b2ea1942c4bf0192622531d6 ]
kfree(host->card) has been called in put_device so that
another kfree would raise cause a double-free bug.
...
+++ b/drivers/memstick/core/memstick.c
@@ -468,7 +468,6 @@ static void memstick_check(struct work_struct *work)
   		host->card = card;
   		if (device_register(&card->dev)) {
   			put_device(&card->dev);

		kfree(host->card);
	host->card = NULL;
}



Does the host->card = NULL need to be removed, too (and following code
refactored)? put_device() needs that pointer to be able to free it and
it can do so asynchronously.
This will cause crashes; they should be easy to reproduce with
CONFIG_DEBUG_KOBJECT_RELEASE due to delay in kobject_release() AFAICT.
Best regards,								Pavel
-- 
http://www.livejournal.com/~pavelmachek

    