Re: [PATCH 2/2] device property: fix for a case of use-after-free

Mon, 22 Feb 2016 07:41:07 -0800 

On Mon, 2016-02-22 at 16:50 +0200, Heikki Krogerus wrote:
> In device_remove_property_set(), if the primary fwnode is
> of type "pset", it has to be set pointing to NULL before
> calling set_secondary_fwnode(). Otherwise
> set_secondary_fwnode() will attempt to set the
> fwnode->secondary member after the fwnode has been freed.
> 
> Reported-by: John Youn <john.y...@synopsys.com>
> Signed-off-by: Heikki Krogerus <heikki.kroge...@linux.intel.com>
> ---
>  drivers/base/property.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/base/property.c b/drivers/base/property.c
> index a163f2c..ddf2987 100644
> --- a/drivers/base/property.c
> +++ b/drivers/base/property.c
> @@ -820,7 +820,9 @@ void device_remove_property_set(struct device
> *dev)
>        * the pset. If there is no real firmware node (ACPI/DT)
> primary
>        * will hold the pset.
>        */
> -     if (!is_pset_node(fwnode))
> +     if (is_pset_node(fwnode))
> +             dev->fwnode = NULL;
> +     else
>               fwnode = fwnode->secondary;
>       if (!IS_ERR(fwnode) && is_pset_node(fwnode))
>               pset_free_set(to_pset_node(fwnode));


What if we do the following

--- a/drivers/base/property.c
+++ b/drivers/base/property.c
@@ -818,9 +818,13 @@ void device_remove_property_set(struct device
*dev)
         */
        if (!is_pset_node(fwnode))
                fwnode = fwnode->secondary;
+
+       /* Set device fwnode to NULL before we free it */
+       set_secondary_fwnode(dev, NULL);
+
+       /* Free property set for the given device */
        if (!IS_ERR(fwnode) && is_pset_node(fwnode))
                pset_free_set(to_pset_node(fwnode));
-       set_secondary_fwnode(dev, NULL);
 }
 EXPORT_SYMBOL_GPL(device_remove_property_set);
 
?

-- 
Andy Shevchenko <andriy.shevche...@linux.intel.com>
Intel Finland Oy

Reply via email to