Hi,


On Tue, Feb 18, 2025, at 17:01, Harshit Mogalapalli wrote:

Hi,

On 18/02/25 21:04, Sven Peter wrote:

quoted

Hi,


On Wed, Feb 12, 2025, at 09:58, Harshit Mogalapalli wrote:

quoted

This code calls kfree(bfr); and then passes "bfr" to rtk->ops->crashed()
which is a use after free.  The ->crashed function pointer is implemented
by apple_nvme_rtkit_crashed() and it doesn't use the "bfr" pointer so
this doesn't cause a problem.  But it still looks sketchy as can be.

Fix this by moving kfree() after the last usage of bfr.

Fixes: c559645f343a ("soc: apple: rtkit: Pass the crashlog to the
crashed() callback")

This commit isn't upstream yet afaict, did you mean to post a review comment
to [1] instead?

I made the patch based on linux-next, linux-next has the patch merged.

Whoops, I guess we accidentally already pushed that one to for-next without merging it.
I'll merge both and adjust the commit hash in your Fixes tag.


Thanks,


Sven