linux/drivers/base
Yang Yingliang 55e6d80378
regmap: Fix possible double-free in regcache_rbtree_exit()
In regcache_rbtree_insert_to_block(), when 'present' realloc failed,
the 'blk' which is supposed to assign to 'rbnode->block' will be freed,
so 'rbnode->block' points a freed memory, in the error handling path of
regcache_rbtree_init(), 'rbnode->block' will be freed again in
regcache_rbtree_exit(), KASAN will report double-free as follows:

BUG: KASAN: double-free or invalid-free in kfree+0xce/0x390
Call Trace:
 slab_free_freelist_hook+0x10d/0x240
 kfree+0xce/0x390
 regcache_rbtree_exit+0x15d/0x1a0
 regcache_rbtree_init+0x224/0x2c0
 regcache_init+0x88d/0x1310
 __regmap_init+0x3151/0x4a80
 __devm_regmap_init+0x7d/0x100
 madera_spi_probe+0x10f/0x333 [madera_spi]
 spi_probe+0x183/0x210
 really_probe+0x285/0xc30

To fix this, moving up the assignment of rbnode->block to immediately after
the reallocation has succeeded so that the data structure stays valid even
if the second reallocation fails.

Reported-by: Hulk Robot <hulkci@huawei.com>
Fixes: 3f4ff561bc ("regmap: rbtree: Make cache_present bitmap per node")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://lore.kernel.org/r/20211012023735.1632786-1-yangyingliang@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
2021-10-12 11:48:43 +01:00
..
firmware_loader firmware_loader: remove unneeded 'comma' macro 2021-06-04 15:06:03 +02:00
power Merge branches 'pm-cpuidle', 'pm-sleep' and 'pm-domains' 2021-07-07 20:17:43 +02:00
regmap regmap: Fix possible double-free in regcache_rbtree_exit() 2021-10-12 11:48:43 +01:00
test device property: Remove some casts in property-entry-test 2021-06-23 16:37:21 -06:00
arch_numa.c arch_numa: fix common code printing of phys_addr_t 2021-02-18 23:18:04 -08:00
arch_topology.c arch_topology: Avoid use-after-free for scale_freq_data 2021-07-01 07:32:14 +05:30
attribute_container.c driver core: attribute_container: fix W=1 warnings 2021-05-14 13:37:10 +02:00
auxiliary.c driver core: auxiliary bus: Remove unneeded module bits 2021-03-23 10:47:55 +01:00
base.h driver core: Export device_driver_attach() 2021-06-21 15:29:24 -06:00
bus.c driver core: Flow the return code from ->probe() through to sysfs bind 2021-06-21 15:29:24 -06:00
cacheinfo.c drivers core: Use sysfs_emit for shared_cpu_map_show and shared_cpu_list_show 2020-10-02 13:24:40 +02:00
class.c drivers: base: fix some kernel-doc markups 2020-11-09 18:56:49 +01:00
component.c component: Rename 'dev' to 'parent' 2021-05-27 15:49:59 +02:00
container.c
core.c USB / Thunderbolt patches for 5.14-rc1 2021-07-05 14:16:22 -07:00
cpu.c drivers/base: Constify static attribute_group structs 2021-06-04 15:06:28 +02:00
dd.c driver core: Export device_driver_attach() 2021-06-21 15:29:24 -06:00
devcoredump.c devcoredump: remove contact information 2021-06-04 15:05:44 +02:00
devres.c devres: Enable trace events 2021-06-15 17:14:36 +02:00
devtmpfs.c devtmpfs: actually reclaim some init memory 2021-03-23 14:57:35 +01:00
driver.c drivers: base: Convert to printk alias functions 2020-07-10 14:16:44 +02:00
firmware.c
hypervisor.c
init.c driver core: auxiliary bus: Fix calling stage for auxiliary bus init 2021-02-11 08:43:03 +01:00
isa.c isa: Make the remove callback for isa drivers return void 2021-01-26 07:42:27 +01:00
Kconfig RISC-V Patches for the 5.12 Merge Window 2021-02-26 10:28:35 -08:00
Makefile devres: Enable trace events 2021-06-15 17:14:36 +02:00
map.c
memory.c Linux 5.13-rc6 2021-06-14 09:07:45 +02:00
module.c
node.c Driver core changes for 5.14-rc1 2021-07-05 13:51:41 -07:00
pinctrl.c
platform-msi.c platform-msi: fix kernel-doc warnings 2021-04-02 16:40:08 +02:00
platform.c drivers/base: Constify static attribute_group structs 2021-06-04 15:06:28 +02:00
property.c Driver core changes for 5.14-rc1 2021-07-05 13:51:41 -07:00
soc.c soc: fix comment for freeing soc_dev_attr 2020-12-09 19:46:31 +01:00
swnode.c software node: Handle software node injection to an existing device properly 2021-06-23 19:34:58 +02:00
syscore.c syscore: Use pm_pr_dbg() for syscore_{suspend,resume}() 2020-09-08 13:32:06 +02:00
topology.c drivers core: Miscellaneous changes for sysfs_emit 2020-10-02 13:12:07 +02:00
trace.c devres: Enable trace events 2021-06-15 17:14:36 +02:00
trace.h devres: Enable trace events 2021-06-15 17:14:36 +02:00
transport_class.c scsi: drivers: base: Propagate errors through the transport component 2020-01-15 22:55:37 -05:00