[PATCH linux dev-5.1] fsi: core: Fix NULL dereference issue
Jeremy Kerr
jk at ozlabs.org
Wed Jun 26 11:33:48 AEST 2019
Hi Lei,
> The failure case in fsi_slave_init() is wrong and could cause NULL
> dereference issue.
> E.g. on FP5280G2 machine, it could get failure in
> fsi_slave_set_smode(),
> and when it does fsi rescan, kernel crashes due to:
>
> Unable to handle kernel NULL pointer dereference at virtual
> address 00000060
>
> The fix is to make it not calling kfree() but just goto err_free.
>
> However, in err_free, it calls put_device() to free the device, it
> still
> cause issue during fsi rescan, that the device is used after freed.
>
> WARNING: CPU: 0 PID: 1433 at lib/refcount.c:190
> refcount_sub_and_test_checked+0x94/0xac
> refcount_t: underflow; use-after-free.
>
> So the put_device() is removed and "err_free" label is renamed to
> "fail".
It looks like this will leak memory (through the struct fsi_slave) that
has been kzalloc()ed. After device_register, we need to call
put_device() to free the struct fsi_slave, but there's no mechanism for
that to happen if we remove it from fsi_slave_init().
The error paths for this function do need to be fixed, but I don't think
this is the right approach.
Do you have a backtrace of the refcount_sub_and_test_checked+0x94/0xac
warning? This may not be the actual struct device that underflows.
Cheers,
Jeremy
More information about the openbmc
mailing list