Re: [PATCH v2] ppdev: fix double-free of pp->pdev->name

On Thu, Nov 10, 2016 at 02:18:12PM +0100, Arnd Bergmann wrote: > On Sunday, October 30, 2016 11:19:24 PM CET Jann Horn wrote: > > diff --git a/drivers/char/ppdev.c b/drivers/char/ppdev.c > > index d23368874710..6af1ce04b3da 100644 > > --- a/drivers/char/ppdev.c > > +++ b/drivers/char/ppdev.c > >

Re: [PATCH v2] ppdev: fix double-free of pp->pdev->name

On Thu, Nov 10, 2016 at 02:18:12PM +0100, Arnd Bergmann wrote: > On Sunday, October 30, 2016 11:19:24 PM CET Jann Horn wrote: > > diff --git a/drivers/char/ppdev.c b/drivers/char/ppdev.c > > index d23368874710..6af1ce04b3da 100644 > > --- a/drivers/char/ppdev.c > > +++ b/drivers/char/ppdev.c > >

Re: [PATCH v2] ppdev: fix double-free of pp->pdev->name

On Sunday, October 30, 2016 11:19:24 PM CET Jann Horn wrote: > diff --git a/drivers/char/ppdev.c b/drivers/char/ppdev.c > index d23368874710..6af1ce04b3da 100644 > --- a/drivers/char/ppdev.c > +++ b/drivers/char/ppdev.c > @@ -748,10 +748,7 @@ static int pp_release(struct inode *inode, struct file

Re: [PATCH v2] ppdev: fix double-free of pp->pdev->name

On Sunday, October 30, 2016 11:19:24 PM CET Jann Horn wrote: > diff --git a/drivers/char/ppdev.c b/drivers/char/ppdev.c > index d23368874710..6af1ce04b3da 100644 > --- a/drivers/char/ppdev.c > +++ b/drivers/char/ppdev.c > @@ -748,10 +748,7 @@ static int pp_release(struct inode *inode, struct file

Re: [PATCH v2] ppdev: fix double-free of pp->pdev->name

On Sun, Oct 30, 2016 at 11:19:24PM +0100, Jann Horn wrote: > free_pardevice() is called by parport_unregister_device() and already frees > pp->pdev->name, don't try to do it again. > > This bug causes kernel crashes. > > I found and verified this with KASAN and some added pr_emerg()s: > > [

Re: [PATCH v2] ppdev: fix double-free of pp->pdev->name

On Sun, Oct 30, 2016 at 11:19:24PM +0100, Jann Horn wrote: > free_pardevice() is called by parport_unregister_device() and already frees > pp->pdev->name, don't try to do it again. > > This bug causes kernel crashes. > > I found and verified this with KASAN and some added pr_emerg()s: > > [

Re: [PATCH v2] ppdev: fix double-free of pp->pdev->name

On Sun, Oct 30, 2016 at 11:19:24PM +0100, Jann Horn wrote: > free_pardevice() is called by parport_unregister_device() and already frees > pp->pdev->name, don't try to do it again. > > This bug causes kernel crashes. > > I found and verified this with KASAN and some added pr_emerg()s: > > [

Re: [PATCH v2] ppdev: fix double-free of pp->pdev->name

On Sun, Oct 30, 2016 at 11:19:24PM +0100, Jann Horn wrote: > free_pardevice() is called by parport_unregister_device() and already frees > pp->pdev->name, don't try to do it again. > > This bug causes kernel crashes. > > I found and verified this with KASAN and some added pr_emerg()s: > > [

[PATCH v2] ppdev: fix double-free of pp->pdev->name

free_pardevice() is called by parport_unregister_device() and already frees pp->pdev->name, don't try to do it again. This bug causes kernel crashes. I found and verified this with KASAN and some added pr_emerg()s: [ 60.316568] pp_release: pp->pdev->name == 88039cb264c0 [ 60.316692]

[PATCH v2] ppdev: fix double-free of pp->pdev->name

free_pardevice() is called by parport_unregister_device() and already frees pp->pdev->name, don't try to do it again. This bug causes kernel crashes. I found and verified this with KASAN and some added pr_emerg()s: [ 60.316568] pp_release: pp->pdev->name == 88039cb264c0 [ 60.316692]