git: 32de28db2327 - stable/14 - acpi_gpiobus: Fix cleanup on set flags failure
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 27 Feb 2025 15:14:02 UTC
The branch stable/14 has been updated by jhb:
URL: https://cgit.FreeBSD.org/src/commit/?id=32de28db2327014b320d2f3b29b5438dcdfd928c
commit 32de28db2327014b320d2f3b29b5438dcdfd928c
Author: Andrew Turner <andrew@FreeBSD.org>
AuthorDate: 2024-12-09 15:14:13 +0000
Commit: John Baldwin <jhb@FreeBSD.org>
CommitDate: 2025-02-27 15:10:09 +0000
acpi_gpiobus: Fix cleanup on set flags failure
When GPIOBUS_PIN_SETFLAGS fails we called gpiobus_free_ivars to clean
up the contents of the ivar, then would free the ivar. This lead to a
use-after-free as the ivar had already been set on the child so
gpiobus_child_deleted would try to free it again.
Fix this by removing the early cleanup and letting
gpiobus_child_deleted handle it.
Fixes: c9e880c0ceef ("gpiobus: Use a bus_child_deleted method to free ivars for children")
Sponsored by: Arm Ltd
Differential Revision: https://reviews.freebsd.org/D47670
(cherry picked from commit bb8c68b25333638a20838500ccffee23b4291427)
---
sys/dev/gpio/acpi_gpiobus.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/sys/dev/gpio/acpi_gpiobus.c b/sys/dev/gpio/acpi_gpiobus.c
index 14ded4539a5e..254bb951177d 100644
--- a/sys/dev/gpio/acpi_gpiobus.c
+++ b/sys/dev/gpio/acpi_gpiobus.c
@@ -201,8 +201,6 @@ acpi_gpiobus_enumerate_aei(ACPI_RESOURCE *res, void *context)
for (int i = 0; i < devi->gpiobus.npins; i++) {
if (GPIOBUS_PIN_SETFLAGS(bus, child, 0, devi->flags)) {
- gpiobus_free_ivars(&devi->gpiobus);
- free(devi, M_DEVBUF);
device_delete_child(bus, child);
return (AE_OK);
}