| Message ID | 20240917120458.7300-1-a.burakov@rosalinux.ru (mailing list archive) |
|---|---|
| State | Rejected, archived |
| Headers | show |
| Series | [6.1] platform/x86: android-platform: deref after free in x86_android_tablet_init() fix | expand |
Hi, Thank you for your patch. On 9/17/24 2:04 PM, Aleksandr Burakov wrote: > No upstream commit exists for this commit. Right, which is bad, especially since the upstream code actually still has this bug. NACK. Note that upstream in drivers/platform/x86/x86-android-tablets/core.c the same issue is also present around line 447: pdevs[pdev_count] = platform_device_register_data(&pdev->dev, "gpio-keys", PLATFORM_DEVID_AUTO, &pdata, sizeof(pdata)); if (IS_ERR(pdevs[pdev_count])) { x86_android_tablet_remove(pdev); return PTR_ERR(pdevs[pdev_count]); } pdev_count++; Please submit a fix for both issues upstream, once that has been merged you can submit a backport with a proper upstream commit reference. Regards, Hans > > Pointer '&pdevs[i]' is dereferenced at x86_android_tablet_init() > after the referenced memory was deallocated by calling function > 'x86_android_tablet_cleanup()'. > > Found by Linux Verification Center (linuxtesting.org) with SVACE. > > Fixes: 5eba0141206e ("platform/x86: x86-android-tablets: Add support for instantiating platform-devs") > Signed-off-by: Aleksandr Burakov <a.burakov@rosalinux.ru> > --- > drivers/platform/x86/x86-android-tablets.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/platform/x86/x86-android-tablets.c b/drivers/platform/x86/x86-android-tablets.c > index 9178076d9d7d..9838c5332201 100644 > --- a/drivers/platform/x86/x86-android-tablets.c > +++ b/drivers/platform/x86/x86-android-tablets.c > @@ -1853,8 +1853,9 @@ static __init int x86_android_tablet_init(void) > for (i = 0; i < pdev_count; i++) { > pdevs[i] = platform_device_register_full(&dev_info->pdev_info[i]); > if (IS_ERR(pdevs[i])) { > + int ret = PTR_ERR(pdevs[i]); > x86_android_tablet_cleanup(); > - return PTR_ERR(pdevs[i]); > + return ret; > } > } >
On 9/17/24 15:04, Aleksandr Burakov wrote: > No upstream commit exists for this commit. > > Pointer '&pdevs[i]' is dereferenced at x86_android_tablet_init() s/at/in. > after the referenced memory was deallocated by calling function > 'x86_android_tablet_cleanup()'. No quotes around a function name the 1st time, and here they are the 2nd time. Please be consistent... > Found by Linux Verification Center (linuxtesting.org) with SVACE. > > Fixes: 5eba0141206e ("platform/x86: x86-android-tablets: Add support for instantiating platform-devs") > Signed-off-by: Aleksandr Burakov <a.burakov@rosalinux.ru> > --- > drivers/platform/x86/x86-android-tablets.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/platform/x86/x86-android-tablets.c b/drivers/platform/x86/x86-android-tablets.c > index 9178076d9d7d..9838c5332201 100644 > --- a/drivers/platform/x86/x86-android-tablets.c > +++ b/drivers/platform/x86/x86-android-tablets.c > @@ -1853,8 +1853,9 @@ static __init int x86_android_tablet_init(void) > for (i = 0; i < pdev_count; i++) { > pdevs[i] = platform_device_register_full(&dev_info->pdev_info[i]); > if (IS_ERR(pdevs[i])) { > + int ret = PTR_ERR(pdevs[i]); Need an empty line after the declartion, BTW... > x86_android_tablet_cleanup(); > - return PTR_ERR(pdevs[i]); > + return ret; > } > } MBR, Sergey
diff --git a/drivers/platform/x86/x86-android-tablets.c b/drivers/platform/x86/x86-android-tablets.c index 9178076d9d7d..9838c5332201 100644 --- a/drivers/platform/x86/x86-android-tablets.c +++ b/drivers/platform/x86/x86-android-tablets.c @@ -1853,8 +1853,9 @@ static __init int x86_android_tablet_init(void) for (i = 0; i < pdev_count; i++) { pdevs[i] = platform_device_register_full(&dev_info->pdev_info[i]); if (IS_ERR(pdevs[i])) { + int ret = PTR_ERR(pdevs[i]); x86_android_tablet_cleanup(); - return PTR_ERR(pdevs[i]); + return ret; } }
No upstream commit exists for this commit. Pointer '&pdevs[i]' is dereferenced at x86_android_tablet_init() after the referenced memory was deallocated by calling function 'x86_android_tablet_cleanup()'. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 5eba0141206e ("platform/x86: x86-android-tablets: Add support for instantiating platform-devs") Signed-off-by: Aleksandr Burakov <a.burakov@rosalinux.ru> --- drivers/platform/x86/x86-android-tablets.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)