[PATCH] misc: ocxl: fix possible double free in ocxl_file_register_afu
Michael Ellerman
mpe at ellerman.id.au
Fri Apr 22 19:36:43 AEST 2022
Frederic Barrat <fbarrat at linux.ibm.com> writes:
> On 21/04/2022 00:54, Michael Ellerman wrote:
>> Hangyu Hua <hbh25y at gmail.com> writes:
>>> info_release() will be called in device_unregister() when info->dev's
>>> reference count is 0. So there is no need to call ocxl_afu_put() and
>>> kfree() again.
>>
>> Double frees are often exploitable. But it looks to me like this error
>> path is not easily reachable by an attacker.
>>
>> ocxl_file_register_afu() is only called from ocxl_probe(), and we only
>> go to err_unregister if the sysfs or cdev initialisation fails, which
>> should only happen if we hit ENOMEM, or we have a duplicate device which
>> would be a device-tree/hardware error. But maybe Fred can check more
>> closely, I don't know the driver that well.
>
> The linux devices built here are based on what is parsed on the physical
> devices. Those could be FPGAs but updating the FPGA image requires root
> privilege. In any case, duplicate AFU names are possible, that's why the
> driver adds an index (the afu->config.idx part of the name) to the linux
> device name. So we would need to mess that up in the driver as well to
> have a duplicate device name.
> So I would agree the double free is hard to hit.
Thanks for confirming.
> mpe: I think this patch can be taken as is. The "beautification" I
> talked about is just that and I don't intend to work on it except if
> something else shows up.
OK, will pick this up.
cheers
More information about the Linuxppc-dev
mailing list