| Message ID | 1606353994-10348-1-git-send-email-tangyouling@loongson.cn |
|---|---|
| State | New |
| Headers | show |
| Series | [v2] acpi: Fix use-after-free in acpi_ipmi.c | expand |
Hi, On 11/26/2020 10:22 PM, Rafael J. Wysocki wrote: > On Thu, Nov 26, 2020 at 2:26 AM Youling Tang <tangyouling@loongson.cn> wrote: >> kfree() has been called inside put_device so anther kfree would cause a >> use-after-free bug. >> >> Signed-off-by: Youling Tang <tangyouling@loongson.cn> >> --- >> drivers/acpi/acpi_ipmi.c | 1 - >> 1 file changed, 1 deletion(-) >> >> diff --git a/drivers/acpi/acpi_ipmi.c b/drivers/acpi/acpi_ipmi.c >> index 9d6c0fc..18edf8b 100644 >> --- a/drivers/acpi/acpi_ipmi.c >> +++ b/drivers/acpi/acpi_ipmi.c >> @@ -142,7 +142,6 @@ static void ipmi_dev_release(struct acpi_ipmi_device *ipmi_device) >> { >> ipmi_destroy_user(ipmi_device->user_interface); >> put_device(ipmi_device->dev); > Does putting ipmi_device->dev (which is a different object than > ipmi_device itself) really cause ipmi_device to be freed > automatically? If not, the change below will introduce a memory leak. > ipmi_device will be free so that there is no memory leak. Similar to the following: https://lore.kernel.org/patchwork/patch/1342136/ Thanks, Youling. >> - kfree(ipmi_device); >> } >> >> static void ipmi_dev_release_kref(struct kref *kref) >> --
diff --git a/drivers/acpi/acpi_ipmi.c b/drivers/acpi/acpi_ipmi.c index 9d6c0fc..18edf8b 100644 --- a/drivers/acpi/acpi_ipmi.c +++ b/drivers/acpi/acpi_ipmi.c @@ -142,7 +142,6 @@ static void ipmi_dev_release(struct acpi_ipmi_device *ipmi_device) { ipmi_destroy_user(ipmi_device->user_interface); put_device(ipmi_device->dev); - kfree(ipmi_device); } static void ipmi_dev_release_kref(struct kref *kref)
kfree() has been called inside put_device so anther kfree would cause a use-after-free bug. Signed-off-by: Youling Tang <tangyouling@loongson.cn> --- drivers/acpi/acpi_ipmi.c | 1 - 1 file changed, 1 deletion(-)