Dec 22 2009

mfd: Correct use after free for t7l66xb 

Author: Julia Lawall <julia@diku.dk>

The structure t7l66xb should not be freed before the subsequent references
to its fields in the arguments to clk_put.  Furthermore, this structure is
allocated near the beginning of the function, and a goto to the label
err_noirq appears after a successful allocation, so it would seem that the
kfree should be moved down below this label.

A simplified version of the semantic match that finds this problem is as
follows: (http://coccinelle.lip6.fr/)

// 
@@
expression x,e;
identifier f;
iterator I;
statement S;
@@

*kfree(x);
... when != &x
    when != x = e
    when != I(x,...) S
*x->f
// 

Signed-off-by: Julia Lawall 

---
 drivers/mfd/t7l66xb.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 
diff --git a/drivers/mfd/t7l66xb.c b/drivers/mfd/t7l66xb.c
index e0bbddd..26d9176 100644
--- a/drivers/mfd/t7l66xb.c
+++ b/drivers/mfd/t7l66xb.c
@@ -403,12 +403,12 @@ static int t7l66xb_probe(struct platform_device *dev)
 err_ioremap:
 	release_resource(&t7l66xb->rscr);
 err_request_scr:
-	kfree(t7l66xb);
 	clk_put(t7l66xb->clk48m);
 err_clk48m_get:
 	clk_put(t7l66xb->clk32k);
 err_clk32k_get:
 err_noirq:
+	kfree(t7l66xb);
 	return ret;
 }

qlambert

BtrLinux
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.