RE: [PATCH 1/6] drivers/dma: Correct use after free
From: Sosnowski, Maciej
Date: Wed Dec 23 2009 - 10:09:46 EST
Julia Lawall wrote:
> From: Julia Lawall <julia@xxxxxxx>
>
> Move the kfree after the iounmap that refers to the same structure.
>
> A simplified version of the semantic match that finds this problem is as
> follows: (http://coccinelle.lip6.fr/)
>
> // <smpl>
> @@
> expression x,e;
> identifier f;
> iterator I;
> statement S;
> @@
>
> *kfree(x);
> ... when != &x
> when != x = e
> when != I(x,...) S
> *x->f
> // </smpl>
>
> Signed-off-by: Julia Lawall <julia@xxxxxxx>
>
> ---
> drivers/dma/coh901318.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/drivers/dma/coh901318.c b/drivers/dma/coh901318.c
> index 4a99cd9..b5f2ee0 100644
> --- a/drivers/dma/coh901318.c
> +++ b/drivers/dma/coh901318.c
> @@ -1294,8 +1294,8 @@ static int __exit coh901318_remove(struct platform_device *pdev)
> dma_async_device_unregister(&base->dma_slave);
> coh901318_pool_destroy(&base->pool);
> free_irq(platform_get_irq(pdev, 0), base);
> - kfree(base);
> iounmap(base->virtbase);
> + kfree(base);
> release_mem_region(pdev->resource->start,
> resource_size(pdev->resource));
> return 0;
Acked-by: Maciej Sosnowski <maciej.sosnowski@xxxxxxxxx>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/