PCI: Fix potential double-free and add error logging

[PATCH 1/2] PCI/sysfs: Fix potential double-free in pci_remove_resource_files()

Posted by Jinhui Guo 4 months ago

Avoid a double-free in pci_remove_resource_files() by clearing
pdev->res_attr[i] and pdev->res_attr_wc[i] to NULL after kfree().
If pci_create_resource_files() fails it immediately calls
pci_remove_resource_files() to clean up, and the same function is
invoked again when the device is later removed from the PCI tree.
Without zeroing the pointers the second free would operate on stale
addresses, causing use-after-free or a double-free panic.

Signed-off-by: Jinhui Guo <guojinhui.liam@bytedance.com>
---
 drivers/pci/pci-sysfs.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
index 9d6f74bd95f8..a8a27d6c62bb 100644
--- a/drivers/pci/pci-sysfs.c
+++ b/drivers/pci/pci-sysfs.c
@@ -1222,12 +1222,14 @@ static void pci_remove_resource_files(struct pci_dev *pdev)
 		if (res_attr) {
 			sysfs_remove_bin_file(&pdev->dev.kobj, res_attr);
 			kfree(res_attr);
+			pdev->res_attr[i] = NULL;
 		}
 
 		res_attr = pdev->res_attr_wc[i];
 		if (res_attr) {
 			sysfs_remove_bin_file(&pdev->dev.kobj, res_attr);
 			kfree(res_attr);
+			pdev->res_attr_wc[i] = NULL;
 		}
 	}
 }
-- 
2.20.1

[PATCH 1/2] PCI/sysfs: Fix potential double-free in pci_remove_resource_files()
[PATCH 2/2] PCI: Print the error code when PCI sysfs or procfs creation fails