From: Ahmad Fatoum <a.fatoum@pengutronix.de>
To: barebox@lists.infradead.org
Cc: Ahmad Fatoum <a.fatoum@pengutronix.de>,
"Claude Sonnet 4.5" <noreply@anthropic.com>,
Marco Felsch <m.felsch@pengutronix.de>
Subject: [PATCH v2025.09.y 22/58] FIT: fix double free issue with >1 reference count
Date: Fri, 13 Mar 2026 14:25:06 +0100 [thread overview]
Message-ID: <20260313132631.2257573-23-a.fatoum@pengutronix.de> (raw)
In-Reply-To: <20260313132631.2257573-1-a.fatoum@pengutronix.de>
fit_open() was recently changed to be reference counted. When the FIT is
already open, a handle will be returned with the canonical filename
being the only allocation incurred.
fit_close() however unconditionally frees the handle without regards to
the reference count.
Fix this and while at it, fix the memory leak for the canonical filename
as well.
(cherry picked from commit ba345a71e85e90d70c01a3a6ec06bf6258634d2c)
Reported-by: Claude Sonnet 4.5 <noreply@anthropic.com>
Fixes: f3aadb274abe ("FIT: add support to cache opened fit images")
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
Reviewed-by: Marco Felsch <m.felsch@pengutronix.de>
Link: https://lore.barebox.org/20260126104433.765071-1-a.fatoum@pengutronix.de
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
common/image-fit.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/common/image-fit.c b/common/image-fit.c
index 6b44a79e9d1c..027b268928d3 100644
--- a/common/image-fit.c
+++ b/common/image-fit.c
@@ -1016,6 +1016,7 @@ struct fit_handle *fit_open(const char *_filename, bool verbose,
handle = fit_get_handle(filename);
if (handle) {
+ free(filename);
refcount_inc(&handle->users);
return handle;
}
@@ -1049,10 +1050,10 @@ struct fit_handle *fit_open(const char *_filename, bool verbose,
return handle;
}
-static void __fit_close(struct fit_handle *handle)
+static bool __fit_close(struct fit_handle *handle)
{
if (!refcount_dec_and_test(&handle->users))
- return;
+ return false;
if (handle->root)
of_delete_node(handle->root);
@@ -1062,12 +1063,13 @@ static void __fit_close(struct fit_handle *handle)
free(handle->filename);
free(handle->fit_alloc);
+ return true;
}
void fit_close(struct fit_handle *handle)
{
- __fit_close(handle);
- free(handle);
+ if (__fit_close(handle))
+ free(handle);
}
static int do_bootm_fit(struct image_data *data)
--
2.47.3
next prev parent reply other threads:[~2026-03-13 13:35 UTC|newest]
Thread overview: 60+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-13 13:24 [PATCH v2025.09.y 00/58] Backports for v2025.09.1 Ahmad Fatoum
2026-03-13 13:24 ` [PATCH v2025.09.y 01/58] clk: clkdev: fix format security Ahmad Fatoum
2026-03-13 13:24 ` [PATCH v2025.09.y 02/58] scripts: imx: fix string in further auth block Ahmad Fatoum
2026-03-13 13:24 ` [PATCH v2025.09.y 03/58] scripts: imx-image: support DCD_WRITE on closed dev Ahmad Fatoum
2026-03-13 13:24 ` [PATCH v2025.09.y 04/58] mci: am654-sdhci: Wait for transfer complete interrupt with MMC_RSP_BUSY cmd Ahmad Fatoum
2026-03-13 13:24 ` [PATCH v2025.09.y 05/58] video: simplefb-client: switch to dev_get_resource Ahmad Fatoum
2026-03-13 13:24 ` [PATCH v2025.09.y 06/58] MIPS: qemu-malta_defconfig: Use largest possible relocation table Ahmad Fatoum
2026-03-13 13:24 ` [PATCH v2025.09.y 07/58] firmware: handle firmware files being links correctly Ahmad Fatoum
2026-03-13 13:24 ` [PATCH v2025.09.y 08/58] drivers: don't propagate of_alias_get_id's -ENODEV out of probe Ahmad Fatoum
2026-03-13 13:24 ` [PATCH v2025.09.y 09/58] ARM: socfpga: arria10-reset-manager: release UART0 Ahmad Fatoum
2026-03-13 13:24 ` [PATCH v2025.09.y 10/58] bug: add support for CONFIG_DEBUG_BUGVERBOSE Ahmad Fatoum
2026-03-13 13:24 ` [PATCH v2025.09.y 11/58] driver: implement get_free_deviceid_from() Ahmad Fatoum
2026-03-13 13:24 ` [PATCH v2025.09.y 12/58] sandbox: fix make dependency for sandbox Ahmad Fatoum
2026-03-13 13:24 ` [PATCH v2025.09.y 13/58] gpio: Fix GPIOD_ASIS flag Ahmad Fatoum
2026-03-13 13:24 ` [PATCH v2025.09.y 14/58] i.MX: HAB: fix field return unlock fuse uid Ahmad Fatoum
2026-03-13 13:24 ` [PATCH v2025.09.y 15/58] ARM: cpu: common: skip R_ARM_NONE relocations Ahmad Fatoum
2026-03-13 13:25 ` [PATCH v2025.09.y 16/58] mmc: resolve conflict between MMC_CAP_NONREMOVABLE and MMC_CAP_1_8V_DDR Ahmad Fatoum
2026-03-13 13:25 ` [PATCH v2025.09.y 17/58] virtio: ring: fix stale data in queue after reset Ahmad Fatoum
2026-03-13 13:25 ` [PATCH v2025.09.y 18/58] scripts: Makefile.lib: suppress graph_port warnings for overlays Ahmad Fatoum
2026-03-13 13:25 ` [PATCH v2025.09.y 19/58] ARM: Rockchip: rk3576-prtpuk: suppress video graph warning Ahmad Fatoum
2026-03-13 13:25 ` [PATCH v2025.09.y 20/58] kbuild: fold rmdirs into rmfiles Ahmad Fatoum
2026-03-13 13:25 ` [PATCH v2025.09.y 21/58] mtd: nand: mxc_nand: use clk_get_optional for clock handling Ahmad Fatoum
2026-03-13 13:25 ` Ahmad Fatoum [this message]
2026-03-13 13:25 ` [PATCH v2025.09.y 23/58] net: phy: mdio_bus: fix freeing of cdev name before devfs_remove Ahmad Fatoum
2026-03-13 13:25 ` [PATCH v2025.09.y 24/58] bootm: fix bootm override saving/restoring Ahmad Fatoum
2026-03-13 13:25 ` [PATCH v2025.09.y 25/58] common: tlv: Correct eth address list fixup Ahmad Fatoum
2026-03-13 13:25 ` [PATCH v2025.09.y 26/58] common: tlv: fix link error when CONFIG_NET is disabled Ahmad Fatoum
2026-03-13 13:25 ` [PATCH v2025.09.y 27/58] include: array_size.h: make header self-contained Ahmad Fatoum
2026-03-13 13:25 ` [PATCH v2025.09.y 28/58] RISC-V: dts: fix generation of dtbs-list Ahmad Fatoum
2026-03-13 13:25 ` [PATCH v2025.09.y 29/58] of: overlay: propagate error unflattening DTBO Ahmad Fatoum
2026-03-13 13:25 ` [PATCH v2025.09.y 30/58] efi: fix potential NULL dereference Ahmad Fatoum
2026-03-13 13:25 ` [PATCH v2025.09.y 31/58] FIT: fix potential underflow of stack array Ahmad Fatoum
2026-03-13 13:25 ` [PATCH v2025.09.y 32/58] of: fdt: fix double free in fdt_ensure_space Ahmad Fatoum
2026-03-13 13:25 ` [PATCH v2025.09.y 33/58] of: overlay: initialize ret to fix garbage return value Ahmad Fatoum
2026-03-13 13:25 ` [PATCH v2025.09.y 34/58] firmware: xilinx-fpga: fix double free in probe error path Ahmad Fatoum
2026-03-13 13:25 ` [PATCH v2025.09.y 35/58] driver: fix missing va_end in dev_add_alias " Ahmad Fatoum
2026-03-13 13:25 ` [PATCH v2025.09.y 36/58] net: eth: avoid overlapping memcpy in eth_set_ethaddr Ahmad Fatoum
2026-03-13 13:25 ` [PATCH v2025.09.y 37/58] pmdomain: fix dereference before NULL check in genpd_get_from_provider Ahmad Fatoum
2026-03-13 13:25 ` [PATCH v2025.09.y 38/58] net: phy: add NULL check for phy driver in page accessors Ahmad Fatoum
2026-03-13 13:25 ` [PATCH v2025.09.y 39/58] open: add missing mode argument to O_CREAT calls Ahmad Fatoum
2026-03-13 13:25 ` [PATCH v2025.09.y 40/58] hush: add NULL check for gl_pathv after do_glob_in_argv Ahmad Fatoum
2026-03-13 13:25 ` [PATCH v2025.09.y 41/58] i2c: rk3x: fix NULL pointer dereference on repeated NACK Ahmad Fatoum
2026-03-13 13:25 ` [PATCH v2025.09.y 42/58] mci: imx-esdhc: remove misleading NULL check for cmd pointer Ahmad Fatoum
2026-03-13 13:25 ` [PATCH v2025.09.y 43/58] mci: spi: initialize r1 to fix garbage return value Ahmad Fatoum
2026-03-13 13:25 ` [PATCH v2025.09.y 44/58] virtio: fix variable shadowing in virtqueue_add_sgs input scatter loop Ahmad Fatoum
2026-03-13 13:25 ` [PATCH v2025.09.y 45/58] video: mode-helpers: preserve sync polarity in fb_videomode conversion Ahmad Fatoum
2026-03-13 13:25 ` [PATCH v2025.09.y 46/58] ARM: rockchip: dmc: use define instead of hardcoded value Ahmad Fatoum
2026-03-13 13:25 ` [PATCH v2025.09.y 47/58] ARM: rockchip: atf: Fix memend Ahmad Fatoum
2026-03-13 13:25 ` [PATCH v2025.09.y 48/58] regulator: fix handling of off_on_delay Ahmad Fatoum
2026-03-13 13:25 ` [PATCH v2025.09.y 49/58] regulator: fixed: handle startup-delay-us property Ahmad Fatoum
2026-03-13 13:25 ` [PATCH v2025.09.y 50/58] scripts: include: break dependency of list.h on kernel.h Ahmad Fatoum
2026-03-13 13:25 ` [PATCH v2025.09.y 51/58] Makefile: include scripts/ in compile_commands.json Ahmad Fatoum
2026-03-13 13:25 ` [PATCH v2025.09.y 52/58] jwt: fix buffer overflow and double-free in jwt_part_parse Ahmad Fatoum
2026-03-13 13:25 ` [PATCH v2025.09.y 53/58] of: fdt: fix heap-buffer-overflow in fdt_machine_is_compatible Ahmad Fatoum
2026-03-13 13:25 ` [PATCH v2025.09.y 54/58] powerpc: fix initjmp storing function pointer at wrong offset Ahmad Fatoum
2026-03-13 13:25 ` [PATCH v2025.09.y 55/58] net: r8169: drain RX descriptor ring Ahmad Fatoum
2026-03-13 13:25 ` [PATCH v2025.09.y 56/58] of: fdt: refuse / in property and node names Ahmad Fatoum
2026-03-13 13:25 ` [PATCH v2025.09.y 57/58] FIT: reconstruct hashed-nodes property during verification Ahmad Fatoum
2026-03-13 13:25 ` [PATCH v2025.09.y 58/58] scripts: fix build failure with glibc 2.43 Ahmad Fatoum
2026-03-13 14:56 ` [PATCH v2025.09.y 00/58] Backports for v2025.09.1 Sascha Hauer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260313132631.2257573-23-a.fatoum@pengutronix.de \
--to=a.fatoum@pengutronix.de \
--cc=barebox@lists.infradead.org \
--cc=m.felsch@pengutronix.de \
--cc=noreply@anthropic.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox