[PATCH] mm: dmapool: fix possible use after free indmam_pool_destroy()

From: Maxin B John
Date: Wed Jun 01 2011 - 17:43:25 EST

Next message: Alan Cox: "Re: [PATCH 7/7] [v2] drivers/misc: introduce Freescale hypervisormanagement driver"
Previous message: Arnd Bergmann: "Re: [PATCH 7/7] [v2] drivers/misc: introduce Freescale hypervisor management driver"
Next in thread: Rolf Eike Beer: "Re: [PATCH] mm: dmapool: fix possible use after free in dmam_pool_destroy()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

"dma_pool_destroy(pool)" calls "kfree(pool)". The freed pointer "pool"
is again passed as an argument to the function "devres_destroy()".
This patch fixes the possible use after free.

Please let me know your comments.

Signed-off-by: Maxin B. John <maxin.john@xxxxxxxxx>
---
diff --git a/mm/dmapool.c b/mm/dmapool.c
index 03bf3bb..fbb58e3 100644
--- a/mm/dmapool.c
+++ b/mm/dmapool.c
@@ -500,7 +500,7 @@ void dmam_pool_destroy(struct dma_pool *pool)
{
struct device *dev = pool->dev;

- dma_pool_destroy(pool);
WARN_ON(devres_destroy(dev, dmam_pool_release, dmam_pool_match, pool));
+ dma_pool_destroy(pool);
}
EXPORT_SYMBOL(dmam_pool_destroy);
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Alan Cox: "Re: [PATCH 7/7] [v2] drivers/misc: introduce Freescale hypervisormanagement driver"
Previous message: Arnd Bergmann: "Re: [PATCH 7/7] [v2] drivers/misc: introduce Freescale hypervisor management driver"
Next in thread: Rolf Eike Beer: "Re: [PATCH] mm: dmapool: fix possible use after free in dmam_pool_destroy()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]