commit f2d2420bbf4bb125ea5f2e1573d4da6b668fc78a · tjh.dev/kernel

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

SA1111: Eliminate use after free

__sa1111_remove always frees its argument, so the subsequent reference to
sachip->saved_state represents a use after free. __sa1111_remove does not
appear to use the saved_state field, so the patch simply frees it first.

A simplified version of the semantic patch that finds this problem is as
follows: (http://coccinelle.lip6.fr/)

// <smpl>
@@
expression E,E2;
@@

__sa1111_remove(E)
...
(
E = E2
|
* E
)
// </smpl>

Signed-off-by: Julia Lawall <julia@diku.dk>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>

authored by Julia Lawall and committed by Russell King 15 years ago f2d2420b 74bc8093

options

unified split

Changed files

+2 -3

arch

arm

common

sa1111.c

+2 -3

arch/arm/common/sa1111.c

··· 1028 1028 struct sa1111 *sachip = platform_get_drvdata(pdev); 1029 1029 1030 1030 if (sachip) { 1031 - __sa1111_remove(sachip); 1032 - platform_set_drvdata(pdev, NULL); 1033 - 1034 1031 #ifdef CONFIG_PM 1035 1032 kfree(sachip->saved_state); 1036 1033 sachip->saved_state = NULL; 1037 1034 #endif 1035 + __sa1111_remove(sachip); 1036 + platform_set_drvdata(pdev, NULL); 1038 1037 } 1039 1038 1040 1039 return 0;