[PATCH 4/4] mtd: rfd_ftl: fix use-after-free
Miquel Raynal
miquel.raynal at bootlin.com
Fri Aug 6 11:21:58 PDT 2021
Hi Sean,
Sean Young <sean at mess.org> wrote on Tue, 13 Jul 2021 10:44:03 +0100:
> del_mtd_blktrans_dev() will kfree part, so this is a use-after-free. Use
> container_of() to make it clearer what the cast is doing.
>
> Signed-off-by: Sean Young <sean at mess.org>
> ---
> drivers/mtd/rfd_ftl.c | 14 +++++++-------
> 1 file changed, 7 insertions(+), 7 deletions(-)
>
> diff --git a/drivers/mtd/rfd_ftl.c b/drivers/mtd/rfd_ftl.c
> index 7f5f6d247cae..af20a0a71108 100644
> --- a/drivers/mtd/rfd_ftl.c
> +++ b/drivers/mtd/rfd_ftl.c
[...]
> @@ -800,10 +800,10 @@ static void rfd_ftl_remove_dev(struct
mtd_blktrans_dev *dev)
> part->mbd.mtd->name, i, part->blocks[i].erases);
> }
>
> - del_mtd_blktrans_dev(dev);
> vfree(part->sector_map);
> kfree(part->header_cache);
> kfree(part->blocks);
> + del_mtd_blktrans_dev(&part->mbd);
I am not sure moving this call at the bottom of ftl_remove_dev makes
sense, can we keep it where it was and just do the s/dev/part->mbd/ ?
> }
>
> static struct mtd_blktrans_ops rfd_ftl_tr = {
Thanks,
Miquèl
More information about the linux-mtd
mailing list