The patch titled sx.c: avoid referencing freed memory if copy_from_user() fails has been added to the -mm tree. Its filename is sxc-avoid-referencing-freed-memory-if-copy_from_user-fails.patch Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/SubmitChecklist when testing your code *** See http://userweb.kernel.org/~akpm/stuff/added-to-mm.txt to find out what to do about this The current -mm tree may be found at http://userweb.kernel.org/~akpm/mmotm/ ------------------------------------------------------ Subject: sx.c: avoid referencing freed memory if copy_from_user() fails From: Dan Carpenter <error27@xxxxxxxxx> The "break" would just result in reusing a free'd pointer. I don't have the cards myself to test it though. :/ Signed-off-by: Dan Carpenter <error27@xxxxxxxxx> Cc: Ilpo Järvinen <ilpo.jarvinen@xxxxxxxxxxx> Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> --- drivers/char/sx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff -puN drivers/char/sx.c~sxc-avoid-referencing-freed-memory-if-copy_from_user-fails drivers/char/sx.c --- a/drivers/char/sx.c~sxc-avoid-referencing-freed-memory-if-copy_from_user-fails +++ a/drivers/char/sx.c @@ -1789,7 +1789,7 @@ static long sx_fw_ioctl(struct file *fil nbytes - i : SX_CHUNK_SIZE)) { kfree(tmp); rc = -EFAULT; - break; + goto out; } memcpy_toio(board->base2 + offset + i, tmp, (i + SX_CHUNK_SIZE > nbytes) ? _ Patches currently in -mm which might be from error27@xxxxxxxxx are origin.patch sxc-fix-dbl-statement-if-add-missing-braces.patch sxc-avoid-referencing-freed-memory-if-copy_from_user-fails.patch linux-next.patch -- To unsubscribe from this list: send the line "unsubscribe mm-commits" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html