Two fixes for use-after-free and memory leaking in the EDAC core, by

Robert Richter.
 
 Debug options like DEBUG_TEST_DRIVER_REMOVE, KASAN and DEBUG_KMEMLEAK
 unearthed issues with the lifespan of memory allocated by the EDAC
 memory controller descriptor due to misdesigned memory freeing, done
 partially by the EDAC core *and* the driver core, which is problematic
 to say the least.
 
 These two are minimal fixes to take care of stable - a proper rework is
 following which cleans up that mess properly.
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEzv7L6UO9uDPlPSfHEsHwGGHeVUoFAl5I+WEACgkQEsHwGGHe
 VUpcwA//aF6HO2nN+fMsfauVjTEdaElGKqTSzrByVjXjah5mDKH6RZlDandyhIe2
 /Q2GYk/10ASin+FkDsc2mZ5nBcOS6rTS1avOvhlvc9xUYkzuXfvx2fZas9+81B4h
 7xRrdXzU9S4ubHAkAt9oTXn2qoeq1THfJtudMh9imgmtA+qKSSTihCP4gVwuh65H
 w91qxEIkxB5hBTxBtOI/vueTvBvvNfqyJ/nDh8uNRFAbPe//HwTwnrFhJmNBhyWD
 S6vdYrV1UnBGZpPvS46jROmsrJgsKhGH4i7zkhS2a83CvXcyIvcPFbUHXUFCkHB6
 NXeFZUIl70x5MeIElucd8g4z5vY14gY3s1mGJ/M1ErdiqQ96aGmlmh9DpArKvVqL
 HhwAHmnhbgjR5cvdYiyyC+30ZDd6Xm/aZWYj4Ks8cMOSLGvFYSUaAfnYBaTBMhWF
 S4JJBT0NBUTZhGMqr0Zyv0uOsqf+IB+63sNYI9sMR4m72noULTF2tN2tZZgkXmv8
 QxdxwHzJ9V12ZEMhleyUx9eDPPrs5jWRoP2Io1Ws3DA1P82HqVfhsDbz1DObX2Mo
 VLkXG462ANmC2hIdSr7P0uByWtRK8Nd+OMJeltK5SX2MMShQo6xO3QOkJNc7bd7X
 9YZ0R9eqUlSjJcyTZZt4DUVRIzOaVOEjRZKy6wN+zNmSmo8Nock=
 =UTcs
 -----END PGP SIGNATURE-----

Merge tag 'edac_urgent_for_5.6' of git://git.kernel.org/pub/scm/linux/kernel/git/ras/ras

Pull EDAC fixes from Borislav Petkov:
 "Two fixes for use-after-free and memory leaking in the EDAC core, by
  Robert Richter.

  Debug options like DEBUG_TEST_DRIVER_REMOVE, KASAN and DEBUG_KMEMLEAK
  unearthed issues with the lifespan of memory allocated by the EDAC
  memory controller descriptor due to misdesigned memory freeing, done
  partially by the EDAC core *and* the driver core, which is problematic
  to say the least.

  These two are minimal fixes to take care of stable - a proper rework
  is following which cleans up that mess properly"

* tag 'edac_urgent_for_5.6' of git://git.kernel.org/pub/scm/linux/kernel/git/ras/ras:
  EDAC/sysfs: Remove csrow objects on errors
  EDAC/mc: Fix use-after-free and memleaks during device removal
This commit is contained in:
Linus Torvalds 2020-02-16 12:49:36 -08:00
commit b982df72ef
2 changed files with 7 additions and 23 deletions

View File

@ -505,16 +505,10 @@ void edac_mc_free(struct mem_ctl_info *mci)
{ {
edac_dbg(1, "\n"); edac_dbg(1, "\n");
/* If we're not yet registered with sysfs free only what was allocated if (device_is_registered(&mci->dev))
* in edac_mc_alloc().
*/
if (!device_is_registered(&mci->dev)) {
_edac_mc_free(mci);
return;
}
/* the mci instance is freed here, when the sysfs object is dropped */
edac_unregister_sysfs(mci); edac_unregister_sysfs(mci);
_edac_mc_free(mci);
} }
EXPORT_SYMBOL_GPL(edac_mc_free); EXPORT_SYMBOL_GPL(edac_mc_free);

View File

@ -276,10 +276,7 @@ static const struct attribute_group *csrow_attr_groups[] = {
static void csrow_attr_release(struct device *dev) static void csrow_attr_release(struct device *dev)
{ {
struct csrow_info *csrow = container_of(dev, struct csrow_info, dev); /* release device with _edac_mc_free() */
edac_dbg(1, "device %s released\n", dev_name(dev));
kfree(csrow);
} }
static const struct device_type csrow_attr_type = { static const struct device_type csrow_attr_type = {
@ -447,8 +444,7 @@ static int edac_create_csrow_objects(struct mem_ctl_info *mci)
csrow = mci->csrows[i]; csrow = mci->csrows[i];
if (!nr_pages_per_csrow(csrow)) if (!nr_pages_per_csrow(csrow))
continue; continue;
device_unregister(&mci->csrows[i]->dev);
device_del(&mci->csrows[i]->dev);
} }
return err; return err;
@ -608,10 +604,7 @@ static const struct attribute_group *dimm_attr_groups[] = {
static void dimm_attr_release(struct device *dev) static void dimm_attr_release(struct device *dev)
{ {
struct dimm_info *dimm = container_of(dev, struct dimm_info, dev); /* release device with _edac_mc_free() */
edac_dbg(1, "device %s released\n", dev_name(dev));
kfree(dimm);
} }
static const struct device_type dimm_attr_type = { static const struct device_type dimm_attr_type = {
@ -893,10 +886,7 @@ static const struct attribute_group *mci_attr_groups[] = {
static void mci_attr_release(struct device *dev) static void mci_attr_release(struct device *dev)
{ {
struct mem_ctl_info *mci = container_of(dev, struct mem_ctl_info, dev); /* release device with _edac_mc_free() */
edac_dbg(1, "device %s released\n", dev_name(dev));
kfree(mci);
} }
static const struct device_type mci_attr_type = { static const struct device_type mci_attr_type = {