b may be added to a list, but is not removed before being freed in the case
of an error. This is done in the corresponding deallocation function, so
the code here has been changed to follow that.
The sematic match that finds this problem is as follows:
(http://coccinelle.lip6.fr/)
// <smpl>
@@
expression E,E1,E2;
identifier l;
@@
*list_add(&E->l,E1);
... when != E1
when != list_del(&E->l)
when != list_del_init(&E->l)
when != E = E2
*kfree(E);// </smpl>
Signed-off-by: Julia Lawall <[email protected]>
---
arch/x86/kernel/cpu/mcheck/mce_amd.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/x86/kernel/cpu/mcheck/mce_amd.c b/arch/x86/kernel/cpu/mcheck/mce_amd.c
index 167f97b..bb0adad 100644
--- a/arch/x86/kernel/cpu/mcheck/mce_amd.c
+++ b/arch/x86/kernel/cpu/mcheck/mce_amd.c
@@ -509,6 +509,7 @@ recurse:
out_free:
if (b) {
kobject_put(&b->kobj);
+ list_del(&b->miscj);
kfree(b);
}
return err;
On Fri, May 13, 2011 at 09:52:09AM -0400, Julia Lawall wrote:
> b may be added to a list, but is not removed before being freed in the case
> of an error. This is done in the corresponding deallocation function, so
> the code here has been changed to follow that.
>
> The sematic match that finds this problem is as follows:
> (http://coccinelle.lip6.fr/)
>
> // <smpl>
> @@
> expression E,E1,E2;
> identifier l;
> @@
>
> *list_add(&E->l,E1);
> ... when != E1
> when != list_del(&E->l)
> when != list_del_init(&E->l)
> when != E = E2
> *kfree(E);// </smpl>
>
> Signed-off-by: Julia Lawall <[email protected]>
Acked-by: Borislav Petkov <[email protected]>
>
> ---
> arch/x86/kernel/cpu/mcheck/mce_amd.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/arch/x86/kernel/cpu/mcheck/mce_amd.c b/arch/x86/kernel/cpu/mcheck/mce_amd.c
> index 167f97b..bb0adad 100644
> --- a/arch/x86/kernel/cpu/mcheck/mce_amd.c
> +++ b/arch/x86/kernel/cpu/mcheck/mce_amd.c
> @@ -509,6 +509,7 @@ recurse:
> out_free:
> if (b) {
> kobject_put(&b->kobj);
> + list_del(&b->miscj);
> kfree(b);
> }
> return err;
>
>
--
Regards/Gruss,
Boris.
Advanced Micro Devices GmbH
Einsteinring 24, 85609 Dornach
General Managers: Alberto Bozzo, Andrew Bowd
Registration: Dornach, Gemeinde Aschheim, Landkreis Muenchen
Registergericht Muenchen, HRB Nr. 43632
Commit-ID: d9a5ac9ef306eb5cc874f285185a15c303c50009
Gitweb: http://git.kernel.org/tip/d9a5ac9ef306eb5cc874f285185a15c303c50009
Author: Julia Lawall <[email protected]>
AuthorDate: Fri, 13 May 2011 15:52:09 +0200
Committer: Ingo Molnar <[email protected]>
CommitDate: Fri, 13 May 2011 17:11:02 +0200
x86, mce, AMD: Fix leaving freed data in a list
b may be added to a list, but is not removed before being freed
in the case of an error. This is done in the corresponding
deallocation function, so the code here has been changed to
follow that.
The sematic match that finds this problem is as follows:
(http://coccinelle.lip6.fr/)
// <smpl>
@@
expression E,E1,E2;
identifier l;
@@
*list_add(&E->l,E1);
... when != E1
when != list_del(&E->l)
when != list_del_init(&E->l)
when != E = E2
*kfree(E);// </smpl>
Signed-off-by: Julia Lawall <[email protected]>
Cc: Borislav Petkov <[email protected]>
Cc: Robert Richter <[email protected]>
Cc: Yinghai Lu <[email protected]>
Cc: Andreas Herrmann <[email protected]>
Cc: <[email protected]>
Link: http://lkml.kernel.org/r/[email protected]
Signed-off-by: Ingo Molnar <[email protected]>
---
arch/x86/kernel/cpu/mcheck/mce_amd.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/arch/x86/kernel/cpu/mcheck/mce_amd.c b/arch/x86/kernel/cpu/mcheck/mce_amd.c
index 167f97b..bb0adad 100644
--- a/arch/x86/kernel/cpu/mcheck/mce_amd.c
+++ b/arch/x86/kernel/cpu/mcheck/mce_amd.c
@@ -509,6 +509,7 @@ recurse:
out_free:
if (b) {
kobject_put(&b->kobj);
+ list_del(&b->miscj);
kfree(b);
}
return err;