memstick: fix a double-free bug in memstick_check

Message ID	20201120074846.31322-1-miaoqinglang@huawei.com
State	New
Headers	show Return-Path: <linux-mmc-owner@kernel.org> From: Qinglang Miao <miaoqinglang@huawei.com> To: Maxim Levitsky <maximlevitsky@gmail.com>, Alex Dubov <oakad@yahoo.com>, Ulf Hansson <ulf.hansson@linaro.org> CC: <linux-mmc@vger.kernel.org>, <linux-kernel@vger.kernel.org>, Qinglang Miao <miaoqinglang@huawei.com> Subject: [PATCH] memstick: fix a double-free bug in memstick_check Date: Fri, 20 Nov 2020 15:48:46 +0800 Message-ID: <20201120074846.31322-1-miaoqinglang@huawei.com> MIME-Version: 1.0 Content-Transfer-Encoding: 7BIT Content-Type: text/plain; charset=US-ASCII Precedence: bulk
Series	memstick: fix a double-free bug in memstick_check \| expand memstick: fix a double-free bug in memstick_check

Message ID

20201120074846.31322-1-miaoqinglang@huawei.com

State

New

Headers

From: Qinglang Miao <miaoqinglang@huawei.com>
To: Maxim Levitsky <maximlevitsky@gmail.com>, Alex Dubov <oakad@yahoo.com>,
	Ulf Hansson <ulf.hansson@linaro.org>
CC: <linux-mmc@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
	Qinglang Miao <miaoqinglang@huawei.com>
Subject: [PATCH] memstick: fix a double-free bug in memstick_check
Date: Fri, 20 Nov 2020 15:48:46 +0800
Message-ID: <20201120074846.31322-1-miaoqinglang@huawei.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7BIT
Content-Type: text/plain; charset=US-ASCII
Precedence: bulk

Series

memstick: fix a double-free bug in memstick_check | expand

Commit Message

'Qinglang Miao Nov. 20, 2020, 7:48 a.m. UTC

kfree(host->card) has been called in put_device so that
another kfree would raise cause a double-free bug.

Fixes: 0193383a5833 ("memstick: core: fix device_register() error handling")
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Qinglang Miao <miaoqinglang@huawei.com>
---
 drivers/memstick/core/memstick.c | 1 -
 1 file changed, 1 deletion(-)

Comments

Ulf Hansson Nov. 23, 2020, 4:07 p.m. UTC | #1

On Fri, 20 Nov 2020 at 08:44, Qinglang Miao <miaoqinglang@huawei.com> wrote:
>

> kfree(host->card) has been called in put_device so that

> another kfree would raise cause a double-free bug.

>

> Fixes: 0193383a5833 ("memstick: core: fix device_register() error handling")

> Reported-by: Hulk Robot <hulkci@huawei.com>

> Signed-off-by: Qinglang Miao <miaoqinglang@huawei.com>


Applied for next, thanks!

Kind regards
Uffe


> ---

>  drivers/memstick/core/memstick.c | 1 -

>  1 file changed, 1 deletion(-)

>

> diff --git a/drivers/memstick/core/memstick.c b/drivers/memstick/core/memstick.c

> index ef03d6faf..12bc3f5a6 100644

> --- a/drivers/memstick/core/memstick.c

> +++ b/drivers/memstick/core/memstick.c

> @@ -468,7 +468,6 @@ static void memstick_check(struct work_struct *work)

>                         host->card = card;

>                         if (device_register(&card->dev)) {

>                                 put_device(&card->dev);

> -                               kfree(host->card);

>                                 host->card = NULL;

>                         }

>                 } else

> --

> 2.23.0

>

diff --git a/drivers/memstick/core/memstick.c b/drivers/memstick/core/memstick.c
index ef03d6faf..12bc3f5a6 100644
--- a/drivers/memstick/core/memstick.c
+++ b/drivers/memstick/core/memstick.c
@@ -468,7 +468,6 @@  static void memstick_check(struct work_struct *work)
 			host->card = card;
 			if (device_register(&card->dev)) {
 				put_device(&card->dev);
-				kfree(host->card);
 				host->card = NULL;
 			}
 		} else

memstick: fix a double-free bug in memstick_check

Commit Message

Comments

Patch