On Wednesday 11 June 2014, Pawel Moll wrote:
> On Wed, 2014-06-11 at 11:17 +0100, Dan Carpenter wrote:
> > This function should be returning an ERR_PTR() on failure instead of
> > NULL. Also there is a use after free bug if regmap_init() fails because
> > we free "func" and then dereference doing the return.
> >
> > Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> >
> > diff --git a/drivers/misc/vexpress-syscfg.c b/drivers/misc/vexpress-syscfg.c
> > index 73068e5..3250fc1 100644
> > --- a/drivers/misc/vexpress-syscfg.c
> > +++ b/drivers/misc/vexpress-syscfg.c
> > @@ -199,7 +199,7 @@ static struct regmap *vexpress_syscfg_regmap_init(struct device *dev,
> > func = kzalloc(sizeof(*func) + sizeof(*func->template) * num,
> > GFP_KERNEL);
> > if (!func)
> > - return NULL;
> > + return ERR_PTR(-ENOMEM);
> >
> > func->syscfg = syscfg;
> > func->num_templates = num;
> > @@ -231,10 +231,14 @@ static struct regmap *vexpress_syscfg_regmap_init(struct device *dev,
> > func->regmap = regmap_init(dev, NULL, func,
> > &vexpress_syscfg_regmap_config);
> >
> > - if (IS_ERR(func->regmap))
> > + if (IS_ERR(func->regmap)) {
> > + void *err = func->regmap;
> > +
> > kfree(func);
> > - else
> > - list_add(&func->list, &syscfg->funcs);
> > + return err;
> > + }
> > +
> > + list_add(&func->list, &syscfg->funcs);
> >
> > return func->regmap;
> > }
>
> Uh, right. Dereferencing a freed structure. My bad. Thanks for spotting
> this!
>
> Acked-by: Pawel Moll <pawel.moll@xxxxxxx>
>
> (nit: the subject should be "misc: vexpress:" rather then "mfd:")
>
> Arnd, Olof, can you pick this one as an early fix or do you want me to
> queue it for rc1-based fixes branch?
I've applied it to the fixes branch now. Thanks!
Arnd
--
To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
