Date: Mon, 9 Dec 2024 15:45:05 GMT From: Andrew Turner <andrew@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: bb8c68b25333 - main - acpi_gpiobus: Fix cleanup on set flags failure Message-ID: <202412091545.4B9Fj5Qu062505@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by andrew: URL: https://cgit.FreeBSD.org/src/commit/?id=bb8c68b25333638a20838500ccffee23b4291427 commit bb8c68b25333638a20838500ccffee23b4291427 Author: Andrew Turner <andrew@FreeBSD.org> AuthorDate: 2024-12-09 15:14:13 +0000 Commit: Andrew Turner <andrew@FreeBSD.org> CommitDate: 2024-12-09 15:44:30 +0000 acpi_gpiobus: Fix cleanup on set flags failure When GPIOBUS_PIN_SETFLAGS fails we called gpiobus_free_ivars to clean up the contents of the ivar, then would free the ivar. This lead to a use-after-free as the ivar had already been set on the child so gpiobus_child_deleted would try to free it again. Fix this by removing the early cleanup and letting gpiobus_child_deleted handle it. Fixes: c9e880c0ceef ("gpiobus: Use a bus_child_deleted method to free ivars for children") Sponsored by: Arm Ltd Differential Revision: https://reviews.freebsd.org/D47670 --- sys/dev/gpio/acpi_gpiobus.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/sys/dev/gpio/acpi_gpiobus.c b/sys/dev/gpio/acpi_gpiobus.c index e766c25e5336..be3889f6a89b 100644 --- a/sys/dev/gpio/acpi_gpiobus.c +++ b/sys/dev/gpio/acpi_gpiobus.c @@ -203,8 +203,6 @@ acpi_gpiobus_enumerate_aei(ACPI_RESOURCE *res, void *context) for (int i = 0; i < devi->gpiobus.npins; i++) { if (GPIOBUS_PIN_SETFLAGS(bus, child, 0, devi->flags)) { - gpiobus_free_ivars(&devi->gpiobus); - free(devi, M_DEVBUF); device_delete_child(bus, child); return (AE_OK); }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202412091545.4B9Fj5Qu062505>