Message ID | 20230214093801.1267044-1-harshit.m.mogalapalli@oracle.com |
---|---|
State | New |
Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org> Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:eb09:0:0:0:0:0 with SMTP id s9csp2869522wrn; Tue, 14 Feb 2023 01:46:52 -0800 (PST) X-Google-Smtp-Source: AK7set8dTaFhNFEJ/b+jvWOZKOv1yDJL4A5CuZyWDohnbSZGax4I8tiIQZsw61MQIxJNoDrfzEJt X-Received: by 2002:a17:903:2407:b0:198:adc4:229d with SMTP id e7-20020a170903240700b00198adc4229dmr18811775plo.24.1676368011931; Tue, 14 Feb 2023 01:46:51 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1676368011; cv=none; d=google.com; s=arc-20160816; b=zNnqSHSxx8t9LoZrxkr5fpe7r5tqH19C2t7Ok6G+4u5gIEpt8wReWjLxmxWflIGsiO NA+MwWA9W9YW3CL9o05jY6k7WpvmTISPJfCQnsx3XT5gCAM4QeATxmmBQgPe1Vmw3uKj agsloaIXf3Wok0XWU30h70kuW9oBqqeU0/dg7Wk0Gs+KoKR8JqW+HYwa1kMlAhr3QMsC SB/uddXNEsOTKRprsVbR/VVCt/cZJ0TluB5V/uhsH1qlnZVvBEQrPEPVJQyWIZ5ICUrf srrOejGow1KfuvPDwZLc7Aw+cMW8vuijytE4eCd+pioG8Lmyd6mJMvlqFLDgTnEHrjnx EW5w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:to:content-transfer-encoding:mime-version :message-id:date:subject:cc:from:dkim-signature; bh=abN3WeABrZKVtxO1m8F3An7TfDTw3na3P2oNLuQ0iD0=; b=NBeKmcpKRfEftItsctqE70V7bJxOTFH/VlSqNSm5TcJd4jHSNm3sO4Qd0TqS2+ZHVb J2FUxzfegg668Rhv7p53OEZpWs8dORMrUROPUhWwBRNKbKuCH3Cn7vMklA8173rfCXiB Rc2jZR0KGTZh4wd0rr3j2RcPdjmde7rml0rygdSLriF9t3BIxj3Vw6lW5qAjWnTPU8+5 XegeTPDZZHUg61pfTVFYbzbXWAujRiPpf/Qz2B549AnenCbTWVrnMVLox+SLBAZ6X0VX ky+63qiaurmbJWWHgbwSv6PF5GdrBCZWy0rKxs8HcKClZQt391LyynktYqaL01opm3ZC bMmg== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@oracle.com header.s=corp-2022-7-12 header.b=bMDprgcB; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id d1-20020a170902728100b0019ab0383d63si2498990pll.260.2023.02.14.01.46.39; Tue, 14 Feb 2023 01:46:51 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=fail header.i=@oracle.com header.s=corp-2022-7-12 header.b=bMDprgcB; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232424AbjBNJic (ORCPT <rfc822;henrikjoshmiranda3@gmail.com> + 99 others); Tue, 14 Feb 2023 04:38:32 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49530 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232101AbjBNJia (ORCPT <rfc822;linux-kernel@vger.kernel.org>); Tue, 14 Feb 2023 04:38:30 -0500 Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 75C293C27 for <linux-kernel@vger.kernel.org>; Tue, 14 Feb 2023 01:38:29 -0800 (PST) Received: from pps.filterd (m0246632.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 31E8Nwip029770; Tue, 14 Feb 2023 09:38:07 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : mime-version : content-transfer-encoding; s=corp-2022-7-12; bh=abN3WeABrZKVtxO1m8F3An7TfDTw3na3P2oNLuQ0iD0=; b=bMDprgcBQxdcyi2GIA5mnSGE5QDvyaLEK5kBkClQn9Vu97DqG85NwKJ5NS5Gyu5+/oHF n+w8O9XuzI3JZ0uGT6XDB/yjqlWl02chc96ujYmXV3hYcNx8RC+hCS+n2CjHHmVH/IOY RfACQB4uP3s4ew15KfzopJGaIIYqg9i9EcF4BZaVz/j44P7R0uizLsUY1s//axcgxBPI R/dqZ27jYuNd+ACGpYb8PzL3yKgdr+5n5H9HhngC08OMDTzJfCMKovqrpWd4x0JyQn8z /wrJpJ43ZG4qS/AB+2LHh/4Q5+IfuzH7JpYSgNkmnnzzRyNmx74Cu6fOwNA9TzaHi6i4 PQ== Received: from iadpaimrmta02.imrmtpd1.prodappiadaev1.oraclevcn.com (iadpaimrmta02.appoci.oracle.com [147.154.18.20]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3np2mtcvmj-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 14 Feb 2023 09:38:07 +0000 Received: from pps.filterd (iadpaimrmta02.imrmtpd1.prodappiadaev1.oraclevcn.com [127.0.0.1]) by iadpaimrmta02.imrmtpd1.prodappiadaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 31E8hXUI018473; Tue, 14 Feb 2023 09:38:07 GMT Received: from pps.reinject (localhost [127.0.0.1]) by iadpaimrmta02.imrmtpd1.prodappiadaev1.oraclevcn.com (PPS) with ESMTPS id 3np1f5sdjf-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 14 Feb 2023 09:38:07 +0000 Received: from iadpaimrmta02.imrmtpd1.prodappiadaev1.oraclevcn.com (iadpaimrmta02.imrmtpd1.prodappiadaev1.oraclevcn.com [127.0.0.1]) by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 31E9YwXd016428; Tue, 14 Feb 2023 09:38:06 GMT Received: from ca-dev112.us.oracle.com (ca-dev112.us.oracle.com [10.129.136.47]) by iadpaimrmta02.imrmtpd1.prodappiadaev1.oraclevcn.com (PPS) with ESMTP id 3np1f5sdgy-1; Tue, 14 Feb 2023 09:38:06 +0000 From: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com> Cc: harshit.m.mogalapalli@gmail.com, error27@gmail.com, hch@lst.de, Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>, Richard Weinberger <richard@nod.at>, Miquel Raynal <miquel.raynal@bootlin.com>, Vignesh Raghavendra <vigneshr@ti.com>, linux-mtd@lists.infradead.org, linux-kernel@vger.kernel.org Subject: [PATCH linux-next] ubi: block: Fix a possible use-after-free bug in ubiblock_create() Date: Tue, 14 Feb 2023 01:38:01 -0800 Message-Id: <20230214093801.1267044-1-harshit.m.mogalapalli@oracle.com> X-Mailer: git-send-email 2.39.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.219,Aquarius:18.0.930,Hydra:6.0.562,FMLib:17.11.170.22 definitions=2023-02-14_06,2023-02-13_01,2023-02-09_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 mlxscore=0 adultscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2212070000 definitions=main-2302140082 X-Proofpoint-GUID: tf3NqCX4zp4U7_Z1qCxZJXI7tqDbV-L- X-Proofpoint-ORIG-GUID: tf3NqCX4zp4U7_Z1qCxZJXI7tqDbV-L- X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net To: unlisted-recipients:; (no To-header on input) Precedence: bulk List-ID: <linux-kernel.vger.kernel.org> X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1757799264787414955?= X-GMAIL-MSGID: =?utf-8?q?1757799264787414955?= |
Series |
[linux-next] ubi: block: Fix a possible use-after-free bug in ubiblock_create()
|
|
Commit Message
Harshit Mogalapalli
Feb. 14, 2023, 9:38 a.m. UTC
Smatch warns:
drivers/mtd/ubi/block.c:438 ubiblock_create()
warn: '&dev->list' not removed from list
'dev' is freed in 'out_free_dev:, but it is still on the list.
To fix this, delete the list item before freeing.
Fixes: 91cc8fbcc8c7 ("ubi: block: set BLK_MQ_F_BLOCKING")
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
---
Found by static analysis(smatch). Only Compile tested.
---
drivers/mtd/ubi/block.c | 1 +
1 file changed, 1 insertion(+)
Comments
----- Ursprüngliche Mail ----- > Von: "harshit m mogalapalli" <harshit.m.mogalapalli@oracle.com> > Smatch warns: > drivers/mtd/ubi/block.c:438 ubiblock_create() > warn: '&dev->list' not removed from list > > 'dev' is freed in 'out_free_dev:, but it is still on the list. > > To fix this, delete the list item before freeing. > > Fixes: 91cc8fbcc8c7 ("ubi: block: set BLK_MQ_F_BLOCKING") > Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com> > --- > Found by static analysis(smatch). Only Compile tested. > --- > drivers/mtd/ubi/block.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/drivers/mtd/ubi/block.c b/drivers/mtd/ubi/block.c > index f5d036203fe7..763704c8d05c 100644 > --- a/drivers/mtd/ubi/block.c > +++ b/drivers/mtd/ubi/block.c > @@ -429,6 +429,7 @@ int ubiblock_create(struct ubi_volume_info *vi) > return 0; > > out_remove_minor: > + list_del(&dev->list); > idr_remove(&ubiblock_minor_idr, gd->first_minor); > out_cleanup_disk: > put_disk(dev->gd); Good catch! Thanks, //richard
On Tue, Feb 14, 2023 at 01:38:01AM -0800, Harshit Mogalapalli wrote: > Smatch warns: > drivers/mtd/ubi/block.c:438 ubiblock_create() > warn: '&dev->list' not removed from list > > 'dev' is freed in 'out_free_dev:, but it is still on the list. > > To fix this, delete the list item before freeing. > > Fixes: 91cc8fbcc8c7 ("ubi: block: set BLK_MQ_F_BLOCKING") > Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com> Thanks, this looks good: Reviewed-by: Christoph Hellwig <hch@lst.de>
diff --git a/drivers/mtd/ubi/block.c b/drivers/mtd/ubi/block.c index f5d036203fe7..763704c8d05c 100644 --- a/drivers/mtd/ubi/block.c +++ b/drivers/mtd/ubi/block.c @@ -429,6 +429,7 @@ int ubiblock_create(struct ubi_volume_info *vi) return 0; out_remove_minor: + list_del(&dev->list); idr_remove(&ubiblock_minor_idr, gd->first_minor); out_cleanup_disk: put_disk(dev->gd);