Re: [2.6 patch] acpi/ec.c: fix use-after-free
Applied. thanks, -Len On Wednesday 24 October 2007 13:30, Alexey Starikovskiy wrote: > Adrian Bunk wrote: > > On Wed, Oct 24, 2007 at 09:15:18PM +0400, Alexey Starikovskiy wrote: > >> Adrian, > >> > >> commit 30c08574da0ead1a47797ce028218ce5b2de61c7 can not introduce > >> use-after-free. > >> > >> Please check... > > > > > > Commit 30c08574da0ead1a47797ce028218ce5b2de61c7 did: > > > > <-- snip --> > > > > list_for_each_entry(handler, >list, node) { > > if (query_bit == handler->query_bit) { > > list_del(>node); > > kfree(handler); > > - break; > > } > > } > > > > <-- snip --> > > > > > > If you look at the definition of list_for_each_entry() in > > include/linux/list.h: > > > > <-- snip --> > > > > #define list_for_each_entry(pos, head, member) \ > > for (pos = list_entry((head)->next, typeof(*pos), member); \ > > prefetch(pos->member.next), >member != (head);\ > > pos = list_entry(pos->member.next, typeof(*pos), member)) > > > > > > <-- snip --> > > > > > > Without the "break", "handler" is being dereferenced after it was freed. > Yes, found it minute before :( > Acked, thanks. > > > > > >> Regards, > >> Alex. > >> Adrian Bunk wrote: > >>> This patch fixes a use-after-free introduced by > >>> commit 30c08574da0ead1a47797ce028218ce5b2de61c7. > >>> > >>> Spotted by the Coverity checker. > >>> > >>> Signed-off-by: Adrian Bunk <[EMAIL PROTECTED]> > >>> > >>> --- > >>> --- linux-2.6/drivers/acpi/ec.c.old 2007-10-23 19:39:47.0 > >>> +0200 > >>> +++ linux-2.6/drivers/acpi/ec.c 2007-10-23 19:34:55.0 +0200 > >>> @@ -434,11 +442,11 @@ > >>> EXPORT_SYMBOL_GPL(acpi_ec_add_query_handler); > >>> > >>> void acpi_ec_remove_query_handler(struct acpi_ec *ec, u8 query_bit) > >>> { > >>> - struct acpi_ec_query_handler *handler; > >>> + struct acpi_ec_query_handler *handler, *tmp; > >>> mutex_lock(>lock); > >>> - list_for_each_entry(handler, >list, node) { > >>> + list_for_each_entry_safe(handler, tmp, >list, node) { > >>> if (query_bit == handler->query_bit) { > >>> list_del(>node); > >>> kfree(handler); > >>> } > >>> > > > > > > cu > > Adrian > > > > - > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in > the body of a message to [EMAIL PROTECTED] > More majordomo info at http://vger.kernel.org/majordomo-info.html > Please read the FAQ at http://www.tux.org/lkml/ > - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [2.6 patch] acpi/ec.c: fix use-after-free
Applied. thanks, -Len On Wednesday 24 October 2007 13:30, Alexey Starikovskiy wrote: Adrian Bunk wrote: On Wed, Oct 24, 2007 at 09:15:18PM +0400, Alexey Starikovskiy wrote: Adrian, commit 30c08574da0ead1a47797ce028218ce5b2de61c7 can not introduce use-after-free. Please check... Commit 30c08574da0ead1a47797ce028218ce5b2de61c7 did: -- snip -- list_for_each_entry(handler, ec-list, node) { if (query_bit == handler-query_bit) { list_del(handler-node); kfree(handler); - break; } } -- snip -- If you look at the definition of list_for_each_entry() in include/linux/list.h: -- snip -- #define list_for_each_entry(pos, head, member) \ for (pos = list_entry((head)-next, typeof(*pos), member); \ prefetch(pos-member.next), pos-member != (head);\ pos = list_entry(pos-member.next, typeof(*pos), member)) -- snip -- Without the break, handler is being dereferenced after it was freed. Yes, found it minute before :( Acked, thanks. Regards, Alex. Adrian Bunk wrote: This patch fixes a use-after-free introduced by commit 30c08574da0ead1a47797ce028218ce5b2de61c7. Spotted by the Coverity checker. Signed-off-by: Adrian Bunk [EMAIL PROTECTED] --- --- linux-2.6/drivers/acpi/ec.c.old 2007-10-23 19:39:47.0 +0200 +++ linux-2.6/drivers/acpi/ec.c 2007-10-23 19:34:55.0 +0200 @@ -434,11 +442,11 @@ EXPORT_SYMBOL_GPL(acpi_ec_add_query_handler); void acpi_ec_remove_query_handler(struct acpi_ec *ec, u8 query_bit) { - struct acpi_ec_query_handler *handler; + struct acpi_ec_query_handler *handler, *tmp; mutex_lock(ec-lock); - list_for_each_entry(handler, ec-list, node) { + list_for_each_entry_safe(handler, tmp, ec-list, node) { if (query_bit == handler-query_bit) { list_del(handler-node); kfree(handler); } cu Adrian - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/ - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [2.6 patch] acpi/ec.c: fix use-after-free
Adrian Bunk wrote: > On Wed, Oct 24, 2007 at 09:15:18PM +0400, Alexey Starikovskiy wrote: >> Adrian, >> >> commit 30c08574da0ead1a47797ce028218ce5b2de61c7 can not introduce >> use-after-free. >> >> Please check... > > > Commit 30c08574da0ead1a47797ce028218ce5b2de61c7 did: > > <-- snip --> > > list_for_each_entry(handler, >list, node) { > if (query_bit == handler->query_bit) { > list_del(>node); > kfree(handler); > - break; > } > } > > <-- snip --> > > > If you look at the definition of list_for_each_entry() in > include/linux/list.h: > > <-- snip --> > > #define list_for_each_entry(pos, head, member) \ > for (pos = list_entry((head)->next, typeof(*pos), member); \ > prefetch(pos->member.next), >member != (head);\ > pos = list_entry(pos->member.next, typeof(*pos), member)) > > > <-- snip --> > > > Without the "break", "handler" is being dereferenced after it was freed. Yes, found it minute before :( Acked, thanks. > > >> Regards, >> Alex. >> Adrian Bunk wrote: >>> This patch fixes a use-after-free introduced by >>> commit 30c08574da0ead1a47797ce028218ce5b2de61c7. >>> >>> Spotted by the Coverity checker. >>> >>> Signed-off-by: Adrian Bunk <[EMAIL PROTECTED]> >>> >>> --- >>> --- linux-2.6/drivers/acpi/ec.c.old 2007-10-23 19:39:47.0 +0200 >>> +++ linux-2.6/drivers/acpi/ec.c 2007-10-23 19:34:55.0 +0200 >>> @@ -434,11 +442,11 @@ >>> EXPORT_SYMBOL_GPL(acpi_ec_add_query_handler); >>> >>> void acpi_ec_remove_query_handler(struct acpi_ec *ec, u8 query_bit) >>> { >>> - struct acpi_ec_query_handler *handler; >>> + struct acpi_ec_query_handler *handler, *tmp; >>> mutex_lock(>lock); >>> - list_for_each_entry(handler, >list, node) { >>> + list_for_each_entry_safe(handler, tmp, >list, node) { >>> if (query_bit == handler->query_bit) { >>> list_del(>node); >>> kfree(handler); >>> } >>> > > > cu > Adrian > - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [2.6 patch] acpi/ec.c: fix use-after-free
On Wed, Oct 24, 2007 at 09:15:18PM +0400, Alexey Starikovskiy wrote: > Adrian, > > commit 30c08574da0ead1a47797ce028218ce5b2de61c7 can not introduce > use-after-free. > > Please check... Commit 30c08574da0ead1a47797ce028218ce5b2de61c7 did: <-- snip --> list_for_each_entry(handler, >list, node) { if (query_bit == handler->query_bit) { list_del(>node); kfree(handler); - break; } } <-- snip --> If you look at the definition of list_for_each_entry() in include/linux/list.h: <-- snip --> #define list_for_each_entry(pos, head, member) \ for (pos = list_entry((head)->next, typeof(*pos), member); \ prefetch(pos->member.next), >member != (head);\ pos = list_entry(pos->member.next, typeof(*pos), member)) <-- snip --> Without the "break", "handler" is being dereferenced after it was freed. > Regards, > Alex. > Adrian Bunk wrote: > > This patch fixes a use-after-free introduced by > > commit 30c08574da0ead1a47797ce028218ce5b2de61c7. > > > > Spotted by the Coverity checker. > > > > Signed-off-by: Adrian Bunk <[EMAIL PROTECTED]> > > > > --- > > --- linux-2.6/drivers/acpi/ec.c.old 2007-10-23 19:39:47.0 +0200 > > +++ linux-2.6/drivers/acpi/ec.c 2007-10-23 19:34:55.0 +0200 > > @@ -434,11 +442,11 @@ > > EXPORT_SYMBOL_GPL(acpi_ec_add_query_handler); > > > > void acpi_ec_remove_query_handler(struct acpi_ec *ec, u8 query_bit) > > { > > - struct acpi_ec_query_handler *handler; > > + struct acpi_ec_query_handler *handler, *tmp; > > mutex_lock(>lock); > > - list_for_each_entry(handler, >list, node) { > > + list_for_each_entry_safe(handler, tmp, >list, node) { > > if (query_bit == handler->query_bit) { > > list_del(>node); > > kfree(handler); > > } > > cu Adrian -- "Is there not promise of rain?" Ling Tan asked suddenly out of the darkness. There had been need of rain for many days. "Only a promise," Lao Er said. Pearl S. Buck - Dragon Seed - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [2.6 patch] acpi/ec.c: fix use-after-free
Adrian, commit 30c08574da0ead1a47797ce028218ce5b2de61c7 can not introduce use-after-free. Please check... Regards, Alex. Adrian Bunk wrote: > This patch fixes a use-after-free introduced by > commit 30c08574da0ead1a47797ce028218ce5b2de61c7. > > Spotted by the Coverity checker. > > Signed-off-by: Adrian Bunk <[EMAIL PROTECTED]> > > --- > --- linux-2.6/drivers/acpi/ec.c.old 2007-10-23 19:39:47.0 +0200 > +++ linux-2.6/drivers/acpi/ec.c 2007-10-23 19:34:55.0 +0200 > @@ -434,11 +442,11 @@ > EXPORT_SYMBOL_GPL(acpi_ec_add_query_handler); > > void acpi_ec_remove_query_handler(struct acpi_ec *ec, u8 query_bit) > { > - struct acpi_ec_query_handler *handler; > + struct acpi_ec_query_handler *handler, *tmp; > mutex_lock(>lock); > - list_for_each_entry(handler, >list, node) { > + list_for_each_entry_safe(handler, tmp, >list, node) { > if (query_bit == handler->query_bit) { > list_del(>node); > kfree(handler); > } > > - > To unsubscribe from this list: send the line "unsubscribe linux-acpi" in > the body of a message to [EMAIL PROTECTED] > More majordomo info at http://vger.kernel.org/majordomo-info.html > - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[2.6 patch] acpi/ec.c: fix use-after-free
This patch fixes a use-after-free introduced by commit 30c08574da0ead1a47797ce028218ce5b2de61c7. Spotted by the Coverity checker. Signed-off-by: Adrian Bunk <[EMAIL PROTECTED]> --- --- linux-2.6/drivers/acpi/ec.c.old 2007-10-23 19:39:47.0 +0200 +++ linux-2.6/drivers/acpi/ec.c 2007-10-23 19:34:55.0 +0200 @@ -434,11 +442,11 @@ EXPORT_SYMBOL_GPL(acpi_ec_add_query_handler); void acpi_ec_remove_query_handler(struct acpi_ec *ec, u8 query_bit) { - struct acpi_ec_query_handler *handler; + struct acpi_ec_query_handler *handler, *tmp; mutex_lock(>lock); - list_for_each_entry(handler, >list, node) { + list_for_each_entry_safe(handler, tmp, >list, node) { if (query_bit == handler->query_bit) { list_del(>node); kfree(handler); } - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[2.6 patch] acpi/ec.c: fix use-after-free
This patch fixes a use-after-free introduced by commit 30c08574da0ead1a47797ce028218ce5b2de61c7. Spotted by the Coverity checker. Signed-off-by: Adrian Bunk [EMAIL PROTECTED] --- --- linux-2.6/drivers/acpi/ec.c.old 2007-10-23 19:39:47.0 +0200 +++ linux-2.6/drivers/acpi/ec.c 2007-10-23 19:34:55.0 +0200 @@ -434,11 +442,11 @@ EXPORT_SYMBOL_GPL(acpi_ec_add_query_handler); void acpi_ec_remove_query_handler(struct acpi_ec *ec, u8 query_bit) { - struct acpi_ec_query_handler *handler; + struct acpi_ec_query_handler *handler, *tmp; mutex_lock(ec-lock); - list_for_each_entry(handler, ec-list, node) { + list_for_each_entry_safe(handler, tmp, ec-list, node) { if (query_bit == handler-query_bit) { list_del(handler-node); kfree(handler); } - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [2.6 patch] acpi/ec.c: fix use-after-free
Adrian, commit 30c08574da0ead1a47797ce028218ce5b2de61c7 can not introduce use-after-free. Please check... Regards, Alex. Adrian Bunk wrote: This patch fixes a use-after-free introduced by commit 30c08574da0ead1a47797ce028218ce5b2de61c7. Spotted by the Coverity checker. Signed-off-by: Adrian Bunk [EMAIL PROTECTED] --- --- linux-2.6/drivers/acpi/ec.c.old 2007-10-23 19:39:47.0 +0200 +++ linux-2.6/drivers/acpi/ec.c 2007-10-23 19:34:55.0 +0200 @@ -434,11 +442,11 @@ EXPORT_SYMBOL_GPL(acpi_ec_add_query_handler); void acpi_ec_remove_query_handler(struct acpi_ec *ec, u8 query_bit) { - struct acpi_ec_query_handler *handler; + struct acpi_ec_query_handler *handler, *tmp; mutex_lock(ec-lock); - list_for_each_entry(handler, ec-list, node) { + list_for_each_entry_safe(handler, tmp, ec-list, node) { if (query_bit == handler-query_bit) { list_del(handler-node); kfree(handler); } - To unsubscribe from this list: send the line unsubscribe linux-acpi in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [2.6 patch] acpi/ec.c: fix use-after-free
On Wed, Oct 24, 2007 at 09:15:18PM +0400, Alexey Starikovskiy wrote: Adrian, commit 30c08574da0ead1a47797ce028218ce5b2de61c7 can not introduce use-after-free. Please check... Commit 30c08574da0ead1a47797ce028218ce5b2de61c7 did: -- snip -- list_for_each_entry(handler, ec-list, node) { if (query_bit == handler-query_bit) { list_del(handler-node); kfree(handler); - break; } } -- snip -- If you look at the definition of list_for_each_entry() in include/linux/list.h: -- snip -- #define list_for_each_entry(pos, head, member) \ for (pos = list_entry((head)-next, typeof(*pos), member); \ prefetch(pos-member.next), pos-member != (head);\ pos = list_entry(pos-member.next, typeof(*pos), member)) -- snip -- Without the break, handler is being dereferenced after it was freed. Regards, Alex. Adrian Bunk wrote: This patch fixes a use-after-free introduced by commit 30c08574da0ead1a47797ce028218ce5b2de61c7. Spotted by the Coverity checker. Signed-off-by: Adrian Bunk [EMAIL PROTECTED] --- --- linux-2.6/drivers/acpi/ec.c.old 2007-10-23 19:39:47.0 +0200 +++ linux-2.6/drivers/acpi/ec.c 2007-10-23 19:34:55.0 +0200 @@ -434,11 +442,11 @@ EXPORT_SYMBOL_GPL(acpi_ec_add_query_handler); void acpi_ec_remove_query_handler(struct acpi_ec *ec, u8 query_bit) { - struct acpi_ec_query_handler *handler; + struct acpi_ec_query_handler *handler, *tmp; mutex_lock(ec-lock); - list_for_each_entry(handler, ec-list, node) { + list_for_each_entry_safe(handler, tmp, ec-list, node) { if (query_bit == handler-query_bit) { list_del(handler-node); kfree(handler); } cu Adrian -- Is there not promise of rain? Ling Tan asked suddenly out of the darkness. There had been need of rain for many days. Only a promise, Lao Er said. Pearl S. Buck - Dragon Seed - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [2.6 patch] acpi/ec.c: fix use-after-free
Adrian Bunk wrote: On Wed, Oct 24, 2007 at 09:15:18PM +0400, Alexey Starikovskiy wrote: Adrian, commit 30c08574da0ead1a47797ce028218ce5b2de61c7 can not introduce use-after-free. Please check... Commit 30c08574da0ead1a47797ce028218ce5b2de61c7 did: -- snip -- list_for_each_entry(handler, ec-list, node) { if (query_bit == handler-query_bit) { list_del(handler-node); kfree(handler); - break; } } -- snip -- If you look at the definition of list_for_each_entry() in include/linux/list.h: -- snip -- #define list_for_each_entry(pos, head, member) \ for (pos = list_entry((head)-next, typeof(*pos), member); \ prefetch(pos-member.next), pos-member != (head);\ pos = list_entry(pos-member.next, typeof(*pos), member)) -- snip -- Without the break, handler is being dereferenced after it was freed. Yes, found it minute before :( Acked, thanks. Regards, Alex. Adrian Bunk wrote: This patch fixes a use-after-free introduced by commit 30c08574da0ead1a47797ce028218ce5b2de61c7. Spotted by the Coverity checker. Signed-off-by: Adrian Bunk [EMAIL PROTECTED] --- --- linux-2.6/drivers/acpi/ec.c.old 2007-10-23 19:39:47.0 +0200 +++ linux-2.6/drivers/acpi/ec.c 2007-10-23 19:34:55.0 +0200 @@ -434,11 +442,11 @@ EXPORT_SYMBOL_GPL(acpi_ec_add_query_handler); void acpi_ec_remove_query_handler(struct acpi_ec *ec, u8 query_bit) { - struct acpi_ec_query_handler *handler; + struct acpi_ec_query_handler *handler, *tmp; mutex_lock(ec-lock); - list_for_each_entry(handler, ec-list, node) { + list_for_each_entry_safe(handler, tmp, ec-list, node) { if (query_bit == handler-query_bit) { list_del(handler-node); kfree(handler); } cu Adrian - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/