[PATCH linux dev-5.1] fsi: core: Fix NULL dereference issue

Jeremy Kerr jk at ozlabs.org
Wed Jun 26 11:33:48 AEST 2019


Hi Lei,

> The failure case in fsi_slave_init() is wrong and could cause NULL
> dereference issue.
> E.g. on FP5280G2 machine, it could get failure in
> fsi_slave_set_smode(),
> and when it does fsi rescan, kernel crashes due to:
> 
>     Unable to handle kernel NULL pointer dereference at virtual
> address 00000060
> 
> The fix is to make it not calling kfree() but just goto err_free.
> 
> However, in err_free, it calls put_device() to free the device, it
> still
> cause issue during fsi rescan, that the device is used after freed.
> 
>     WARNING: CPU: 0 PID: 1433 at lib/refcount.c:190
> refcount_sub_and_test_checked+0x94/0xac
>     refcount_t: underflow; use-after-free.
> 
> So the put_device() is removed and "err_free" label is renamed to
> "fail".

It looks like this will leak memory (through the struct fsi_slave) that
has been kzalloc()ed. After device_register, we need to call
put_device() to free the struct fsi_slave, but there's no mechanism for
that to happen if we remove it from fsi_slave_init().

The error paths for this function do need to be fixed, but I don't think
this is the right approach.

Do you have a backtrace of the refcount_sub_and_test_checked+0x94/0xac
warning? This may not be the actual struct device that underflows.

Cheers,


Jeremy



More information about the openbmc mailing list