Re: [PATCH] misc: ocxl: fix possible double free in ocxl_file_register_afu

On Mon, 18 Apr 2022 16:57:58 +0800, Hangyu Hua wrote: > info_release() will be called in device_unregister() when info->dev's > reference count is 0. So there is no need to call ocxl_afu_put() and > kfree() again. > > Fix this by adding free_minor() and return to err_unregister error path. > >

Re: [PATCH] misc: ocxl: fix possible double free in ocxl_file_register_afu

Frederic Barrat writes: > On 21/04/2022 00:54, Michael Ellerman wrote: >> Hangyu Hua writes: >>> info_release() will be called in device_unregister() when info->dev's >>> reference count is 0. So there is no need to call ocxl_afu_put() and >>> kfree() again. >> >> Double frees are often

Re: [PATCH] misc: ocxl: fix possible double free in ocxl_file_register_afu

On 21/04/2022 00:54, Michael Ellerman wrote: Hangyu Hua writes: info_release() will be called in device_unregister() when info->dev's reference count is 0. So there is no need to call ocxl_afu_put() and kfree() again. Double frees are often exploitable. But it looks to me like this error

Re: [PATCH] misc: ocxl: fix possible double free in ocxl_file_register_afu

On 2022/4/21 06:54, Michael Ellerman wrote: Hangyu Hua writes: info_release() will be called in device_unregister() when info->dev's reference count is 0. So there is no need to call ocxl_afu_put() and kfree() again. Double frees are often exploitable. But it looks to me like this error path

Re: [PATCH] misc: ocxl: fix possible double free in ocxl_file_register_afu

Hangyu Hua writes: > info_release() will be called in device_unregister() when info->dev's > reference count is 0. So there is no need to call ocxl_afu_put() and > kfree() again. Double frees are often exploitable. But it looks to me like this error path is not easily reachable by an attacker.

Re: [PATCH] misc: ocxl: fix possible double free in ocxl_file_register_afu

On 2022/4/19 17:09, Frederic Barrat wrote: On 18/04/2022 10:57, Hangyu Hua wrote: info_release() will be called in device_unregister() when info->dev's reference count is 0. So there is no need to call ocxl_afu_put() and kfree() again. Fix this by adding free_minor() and return to

Re: [PATCH] misc: ocxl: fix possible double free in ocxl_file_register_afu

On 18/04/2022 10:57, Hangyu Hua wrote: info_release() will be called in device_unregister() when info->dev's reference count is 0. So there is no need to call ocxl_afu_put() and kfree() again. Fix this by adding free_minor() and return to err_unregister error path. Fixes: 75ca758adbaf

[PATCH] misc: ocxl: fix possible double free in ocxl_file_register_afu

info_release() will be called in device_unregister() when info->dev's reference count is 0. So there is no need to call ocxl_afu_put() and kfree() again. Fix this by adding free_minor() and return to err_unregister error path. Fixes: 75ca758adbaf ("ocxl: Create a clear delineation between ocxl