From patchwork Sat Aug 7 21:45:37 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sean Young X-Patchwork-Id: 1514719 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=fB/gmWar; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=mess.org header.i=@mess.org header.a=rsa-sha256 header.s=2020 header.b=b2qknQf5; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4Ghwsb2K9pz9sWX for ; Sun, 8 Aug 2021 07:46:43 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:To:From:Reply-To:Cc:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=6Kbf5MAHvvb4PCSQRg9idiuW68irW4CNgQoN9FO7ss8=; b=fB/gmWar+V/NHy rr68HOb/dfK76Q+0x6AeGGN1tIfDHUJL7bBOOqosiVXIanzKB4Iceg1OvoppthRSdckP/MFx7qyFj WQnF7fSlZQCp6dY7vui7LvDfRKLUKP2qkAja4owc3dratlqGwbCJSX2XvTJl2um7Y4lidSZVgrTIy YcO02ob8CafoLCPiHdNJaMch+HAbnmFPMwd0d+k/PfrkvwuPRR+uw8nj+mq8W6qNX2ZjcFlxDFyhc 8eMWvKsunYaBi5cb4nfBXVyPzjFLatSLSOVDtypTOJF9HK6AJb+CFTbds9Pi3B0RvKYNT645sfHsd P71S6r1wXNhGQardk/rg==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1mCU8x-00FBRF-Cm; Sat, 07 Aug 2021 21:46:11 +0000 Received: from gofer.mess.org ([2a02:8011:d000:212::1]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1mCU8U-00FBLS-M3 for linux-mtd@lists.infradead.org; Sat, 07 Aug 2021 21:45:44 +0000 Received: by gofer.mess.org (Postfix, from userid 1000) id 7B40EC6AA2; Sat, 7 Aug 2021 22:45:39 +0100 (BST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=mess.org; s=2020; t=1628372739; bh=Gv+0MpWO0mMlGAAP7l1ivWhAuigWD7h+69uax9Owqq0=; h=From:To:Subject:Date:In-Reply-To:References:From; b=b2qknQf5ozy6SsHqrhzKH9FDcrG+1IPdPqFNXsRYT3qxBIusiHOu5zc5GwG+hAUuX rbrbFU8Wdi2jvGN17L8N3tWTGZc6x5prvbqEsk+JEmNALs6ULPXWf2ZTAzwVopb64B U/UZ1mQlKUAXaulY/xqORV6vJ+MMpRcRhZl/LlWpwlz6Skh+xhV9WpMG9ZyV9yykYR ZPu/quCEwQ2rlup1xm987awmgCjUv9u9EKey0XGCezY3Y6UMpOQwb+yHRiKfNSnQXC 6n8kTiVBwiPOCcPsBASIvuyUH2BT9dOhbVofapSwQcHZuOND1WL5fnRSlBTkvrjbnB Vj6FscAZQef6Q== From: Sean Young To: Miquel Raynal , Richard Weinberger , Vignesh Raghavendra , linux-mtd@lists.infradead.org Subject: [PATCH v2 4/5] mtd: rfd_ftl: fix use-after-free Date: Sat, 7 Aug 2021 22:45:37 +0100 Message-Id: <20210807214538.14484-5-sean@mess.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20210807214538.14484-1-sean@mess.org> References: <20210807214538.14484-1-sean@mess.org> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210807_144542_939649_B72016EA X-CRM114-Status: UNSURE ( 9.42 ) X-CRM114-Notice: Please train this message. X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: del_mtd_blktrans_dev() will kfree part, so after this call both part and dev point to freed memory. Move the call to avoid use-after-free. Signed-off-by: Sean Young --- drivers/mtd/rfd_ftl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Content analysis details: (-0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain X-BeenThere: linux-mtd@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Linux MTD discussion mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-mtd" Errors-To: linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org del_mtd_blktrans_dev() will kfree part, so after this call both part and dev point to freed memory. Move the call to avoid use-after-free. Signed-off-by: Sean Young --- drivers/mtd/rfd_ftl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/mtd/rfd_ftl.c b/drivers/mtd/rfd_ftl.c index 7f5f6d247cae..52be9f1fa9a2 100644 --- a/drivers/mtd/rfd_ftl.c +++ b/drivers/mtd/rfd_ftl.c @@ -800,10 +800,10 @@ static void rfd_ftl_remove_dev(struct mtd_blktrans_dev *dev) part->mbd.mtd->name, i, part->blocks[i].erases); } - del_mtd_blktrans_dev(dev); vfree(part->sector_map); kfree(part->header_cache); kfree(part->blocks); + del_mtd_blktrans_dev(dev); } static struct mtd_blktrans_ops rfd_ftl_tr = {