Message ID | 20230725215539.3135304-1-zhangxiaoxu5@huawei.com |
---|---|
State | New |
Headers | show |
Series | [-next] mtd: Fix the refcount error of the mtd info | expand |
diff --git a/drivers/mtd/mtdcore.c b/drivers/mtd/mtdcore.c index 2466ea466466..7c2040a7af0a 100644 --- a/drivers/mtd/mtdcore.c +++ b/drivers/mtd/mtdcore.c @@ -1335,12 +1335,12 @@ void __put_mtd_device(struct mtd_info *mtd) while (mtd != master) { struct mtd_info *parent = mtd->parent; - kref_put(&mtd->refcnt, mtd_device_release); + if (IS_ENABLED(CONFIG_MTD_PARTITIONED_MASTER)) + kref_put(&mtd->refcnt, mtd_device_release); mtd = parent; } - if (IS_ENABLED(CONFIG_MTD_PARTITIONED_MASTER)) - kref_put(&master->refcnt, mtd_device_release); + kref_put(&master->refcnt, mtd_device_release); module_put(master->owner);
There is a UAF when test the mchp23k256 driver with bpf mock device: BUG: KASAN: slab-use-after-free in device_pm_remove+0x7d/0xe0 Write of size 8 at addr ffff888118bf0400 by task python3/261 CPU: 0 PID: 261 Comm: python3 Tainted: G W N 6.5.0-rc2+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), Call Trace: <TASK> dump_stack_lvl+0x65/0xb0 print_report+0xcc/0x620 kasan_report+0xba/0xf0 device_pm_remove+0x7d/0xe0 device_del+0x273/0x780 spi_unregister_device+0xa3/0x140 delete_device_store+0x172/0x290 dev_attr_store+0x3e/0x70 sysfs_kf_write+0x8c/0xb0 kernfs_fop_write_iter+0x246/0x330 vfs_write+0x646/0x840 ksys_write+0xd6/0x1b0 do_syscall_64+0x38/0x90 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Allocated by task 261: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 __kasan_kmalloc+0x7b/0x90 __kmalloc_node_track_caller+0x57/0x150 devm_kmalloc+0x6a/0x1c0 mchp23k256_probe+0x28/0x270 [mchp23k256] spi_probe+0xe1/0x140 really_probe+0x283/0x530 __driver_probe_device+0xe5/0x1e0 device_driver_attach+0x75/0x120 bind_store+0xa4/0x120 drv_attr_store+0x49/0x70 sysfs_kf_write+0x8c/0xb0 kernfs_fop_write_iter+0x246/0x330 vfs_write+0x646/0x840 ksys_write+0xd6/0x1b0 do_syscall_64+0x38/0x90 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Freed by task 261: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_save_free_info+0x27/0x40 __kasan_slab_free+0x106/0x190 __kmem_cache_free+0xdd/0x330 devres_release_all+0x143/0x1b0 device_unbind_cleanup+0x19/0xd0 device_release_driver_internal+0x31f/0x380 unbind_store+0xce/0xd0 drv_attr_store+0x49/0x70 sysfs_kf_write+0x8c/0xb0 kernfs_fop_write_iter+0x246/0x330 vfs_write+0x646/0x840 ksys_write+0xd6/0x1b0 do_syscall_64+0x38/0x90 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 The refcount of the parent was increased when get the mtd device with MTD_PARTITIONED_MASTER enabled, but always decrease when put the mtd device, it will lead refcount error. Fixes: 19bfa9ebebb5 ("mtd: use refcount to prevent corruption") Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com> --- drivers/mtd/mtdcore.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)