[BUG] double free in dfu_free_entities()

Heinrich Schuchardt xypron.glpk at gmx.de
Wed Mar 10 12:04:32 CET 2021


Hello Lukasz,

Jose and I have observed segmentation violations when
dfu_free_entities() is called.

In our scenario we have:

dfu_alt_info=
sf 0:0=u-boot-bin raw 0x100000 0x50000;u-boot-env raw 0x150000 0x200000

dfu_free_entities() is called with these entries in dfu:

u-boot-env:
  dfu->data.sf.dev 0000000015baf420 m25p16
  dfu->data.sf.dev->dev 0000000015888410 spi.bin at 0
u-boot-bin:
  dfu->data.sf.dev 0000000015baf420 m25p16
  dfu->data.sf.dev->dev 0000000015888410 spi.bin at 0

The same device is released twice which eventually leads to the
segmentation fault in device_chld_remove().

Program received signal SIGSEGV, Segmentation fault.
device_chld_remove (
dev=dev at entry=0x5555557f6750 <av_+1936>, drv=drv at entry=0x0,
flags=flags at entry=1)
at drivers/core/device-remove.c:55
55 list_for_each_entry_safe(pos, n, &dev->child_head, sibling_node) {

We must ensure that dfu_free_entities() removes each device only once.

Another bug in dfu_free_entities() is that only the first list member is
freed. free() should be called for all list members.

Best regards

Heinrich





More information about the U-Boot mailing list