2009-12-22 20:31:08

by Julia Lawall

[permalink] [raw]
Subject: [PATCH 1/6] drivers/dma: Correct use after free

From: Julia Lawall <[email protected]>

Move the kfree after the iounmap that refers to the same structure.

A simplified version of the semantic match that finds this problem is as
follows: (http://coccinelle.lip6.fr/)

// <smpl>
@@
expression x,e;
identifier f;
iterator I;
statement S;
@@

*kfree(x);
... when != &x
when != x = e
when != I(x,...) S
*x->f
// </smpl>

Signed-off-by: Julia Lawall <[email protected]>

---
drivers/dma/coh901318.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/drivers/dma/coh901318.c b/drivers/dma/coh901318.c
index 4a99cd9..b5f2ee0 100644
--- a/drivers/dma/coh901318.c
+++ b/drivers/dma/coh901318.c
@@ -1294,8 +1294,8 @@ static int __exit coh901318_remove(struct platform_device *pdev)
dma_async_device_unregister(&base->dma_slave);
coh901318_pool_destroy(&base->pool);
free_irq(platform_get_irq(pdev, 0), base);
- kfree(base);
iounmap(base->virtbase);
+ kfree(base);
release_mem_region(pdev->resource->start,
resource_size(pdev->resource));
return 0;


2009-12-22 22:18:00

by Dan Williams

[permalink] [raw]
Subject: Re: [PATCH 1/6] drivers/dma: Correct use after free

On Tue, Dec 22, 2009 at 1:30 PM, Julia Lawall <[email protected]> wrote:
> From: Julia Lawall <[email protected]>
>
> Move the kfree after the iounmap that refers to the same structure.
>

Thanks Julia. I'll apply this one and the kzalloc versus memset one
you sent earlier.

--
Dan

2009-12-23 15:09:42

by Sosnowski, Maciej

[permalink] [raw]
Subject: RE: [PATCH 1/6] drivers/dma: Correct use after free

Julia Lawall wrote:
> From: Julia Lawall <[email protected]>
>
> Move the kfree after the iounmap that refers to the same structure.
>
> A simplified version of the semantic match that finds this problem is as
> follows: (http://coccinelle.lip6.fr/)
>
> // <smpl>
> @@
> expression x,e;
> identifier f;
> iterator I;
> statement S;
> @@
>
> *kfree(x);
> ... when != &x
> when != x = e
> when != I(x,...) S
> *x->f
> // </smpl>
>
> Signed-off-by: Julia Lawall <[email protected]>
>
> ---
> drivers/dma/coh901318.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/drivers/dma/coh901318.c b/drivers/dma/coh901318.c
> index 4a99cd9..b5f2ee0 100644
> --- a/drivers/dma/coh901318.c
> +++ b/drivers/dma/coh901318.c
> @@ -1294,8 +1294,8 @@ static int __exit coh901318_remove(struct platform_device *pdev)
> dma_async_device_unregister(&base->dma_slave);
> coh901318_pool_destroy(&base->pool);
> free_irq(platform_get_irq(pdev, 0), base);
> - kfree(base);
> iounmap(base->virtbase);
> + kfree(base);
> release_mem_region(pdev->resource->start,
> resource_size(pdev->resource));
> return 0;

Acked-by: Maciej Sosnowski <[email protected]>