Re: [2.6 patch] acpi/ec.c: fix use-after-free
Applied.
thanks,
-Len
On Wednesday 24 October 2007 13:30, Alexey Starikovskiy wrote:
> Adrian Bunk wrote:
> > On Wed, Oct 24, 2007 at 09:15:18PM +0400, Alexey Starikovskiy wrote:
> >> Adrian,
> >>
> >> commit 30c08574da0ead1a47797ce028218ce5b2de61c7 can not introduce
> >> use-after-free.
> >>
> >> Please check...
> >
> >
> > Commit 30c08574da0ead1a47797ce028218ce5b2de61c7 did:
> >
> > <-- snip -->
> >
> > list_for_each_entry(handler, >list, node) {
> > if (query_bit == handler->query_bit) {
> > list_del(>node);
> > kfree(handler);
> > - break;
> > }
> > }
> >
> > <-- snip -->
> >
> >
> > If you look at the definition of list_for_each_entry() in
> > include/linux/list.h:
> >
> > <-- snip -->
> >
> > #define list_for_each_entry(pos, head, member) \
> > for (pos = list_entry((head)->next, typeof(*pos), member); \
> > prefetch(pos->member.next), >member != (head);\
> > pos = list_entry(pos->member.next, typeof(*pos), member))
> >
> >
> > <-- snip -->
> >
> >
> > Without the "break", "handler" is being dereferenced after it was freed.
> Yes, found it minute before :(
> Acked, thanks.
> >
> >
> >> Regards,
> >> Alex.
> >> Adrian Bunk wrote:
> >>> This patch fixes a use-after-free introduced by
> >>> commit 30c08574da0ead1a47797ce028218ce5b2de61c7.
> >>>
> >>> Spotted by the Coverity checker.
> >>>
> >>> Signed-off-by: Adrian Bunk <[EMAIL PROTECTED]>
> >>>
> >>> ---
> >>> --- linux-2.6/drivers/acpi/ec.c.old 2007-10-23 19:39:47.0
> >>> +0200
> >>> +++ linux-2.6/drivers/acpi/ec.c 2007-10-23 19:34:55.0 +0200
> >>> @@ -434,11 +442,11 @@
> >>> EXPORT_SYMBOL_GPL(acpi_ec_add_query_handler);
> >>>
> >>> void acpi_ec_remove_query_handler(struct acpi_ec *ec, u8 query_bit)
> >>> {
> >>> - struct acpi_ec_query_handler *handler;
> >>> + struct acpi_ec_query_handler *handler, *tmp;
> >>> mutex_lock(>lock);
> >>> - list_for_each_entry(handler, >list, node) {
> >>> + list_for_each_entry_safe(handler, tmp, >list, node) {
> >>> if (query_bit == handler->query_bit) {
> >>> list_del(>node);
> >>> kfree(handler);
> >>> }
> >>>
> >
> >
> > cu
> > Adrian
> >
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to [EMAIL PROTECTED]
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
>
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Re: [2.6 patch] acpi/ec.c: fix use-after-free
Applied.
thanks,
-Len
On Wednesday 24 October 2007 13:30, Alexey Starikovskiy wrote:
Adrian Bunk wrote:
On Wed, Oct 24, 2007 at 09:15:18PM +0400, Alexey Starikovskiy wrote:
Adrian,
commit 30c08574da0ead1a47797ce028218ce5b2de61c7 can not introduce
use-after-free.
Please check...
Commit 30c08574da0ead1a47797ce028218ce5b2de61c7 did:
-- snip --
list_for_each_entry(handler, ec-list, node) {
if (query_bit == handler-query_bit) {
list_del(handler-node);
kfree(handler);
- break;
}
}
-- snip --
If you look at the definition of list_for_each_entry() in
include/linux/list.h:
-- snip --
#define list_for_each_entry(pos, head, member) \
for (pos = list_entry((head)-next, typeof(*pos), member); \
prefetch(pos-member.next), pos-member != (head);\
pos = list_entry(pos-member.next, typeof(*pos), member))
-- snip --
Without the break, handler is being dereferenced after it was freed.
Yes, found it minute before :(
Acked, thanks.
Regards,
Alex.
Adrian Bunk wrote:
This patch fixes a use-after-free introduced by
commit 30c08574da0ead1a47797ce028218ce5b2de61c7.
Spotted by the Coverity checker.
Signed-off-by: Adrian Bunk [EMAIL PROTECTED]
---
--- linux-2.6/drivers/acpi/ec.c.old 2007-10-23 19:39:47.0
+0200
+++ linux-2.6/drivers/acpi/ec.c 2007-10-23 19:34:55.0 +0200
@@ -434,11 +442,11 @@
EXPORT_SYMBOL_GPL(acpi_ec_add_query_handler);
void acpi_ec_remove_query_handler(struct acpi_ec *ec, u8 query_bit)
{
- struct acpi_ec_query_handler *handler;
+ struct acpi_ec_query_handler *handler, *tmp;
mutex_lock(ec-lock);
- list_for_each_entry(handler, ec-list, node) {
+ list_for_each_entry_safe(handler, tmp, ec-list, node) {
if (query_bit == handler-query_bit) {
list_del(handler-node);
kfree(handler);
}
cu
Adrian
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Re: [2.6 patch] acpi/ec.c: fix use-after-free
Adrian Bunk wrote:
> On Wed, Oct 24, 2007 at 09:15:18PM +0400, Alexey Starikovskiy wrote:
>> Adrian,
>>
>> commit 30c08574da0ead1a47797ce028218ce5b2de61c7 can not introduce
>> use-after-free.
>>
>> Please check...
>
>
> Commit 30c08574da0ead1a47797ce028218ce5b2de61c7 did:
>
> <-- snip -->
>
> list_for_each_entry(handler, >list, node) {
> if (query_bit == handler->query_bit) {
> list_del(>node);
> kfree(handler);
> - break;
> }
> }
>
> <-- snip -->
>
>
> If you look at the definition of list_for_each_entry() in
> include/linux/list.h:
>
> <-- snip -->
>
> #define list_for_each_entry(pos, head, member) \
> for (pos = list_entry((head)->next, typeof(*pos), member); \
> prefetch(pos->member.next), >member != (head);\
> pos = list_entry(pos->member.next, typeof(*pos), member))
>
>
> <-- snip -->
>
>
> Without the "break", "handler" is being dereferenced after it was freed.
Yes, found it minute before :(
Acked, thanks.
>
>
>> Regards,
>> Alex.
>> Adrian Bunk wrote:
>>> This patch fixes a use-after-free introduced by
>>> commit 30c08574da0ead1a47797ce028218ce5b2de61c7.
>>>
>>> Spotted by the Coverity checker.
>>>
>>> Signed-off-by: Adrian Bunk <[EMAIL PROTECTED]>
>>>
>>> ---
>>> --- linux-2.6/drivers/acpi/ec.c.old 2007-10-23 19:39:47.0 +0200
>>> +++ linux-2.6/drivers/acpi/ec.c 2007-10-23 19:34:55.0 +0200
>>> @@ -434,11 +442,11 @@
>>> EXPORT_SYMBOL_GPL(acpi_ec_add_query_handler);
>>>
>>> void acpi_ec_remove_query_handler(struct acpi_ec *ec, u8 query_bit)
>>> {
>>> - struct acpi_ec_query_handler *handler;
>>> + struct acpi_ec_query_handler *handler, *tmp;
>>> mutex_lock(>lock);
>>> - list_for_each_entry(handler, >list, node) {
>>> + list_for_each_entry_safe(handler, tmp, >list, node) {
>>> if (query_bit == handler->query_bit) {
>>> list_del(>node);
>>> kfree(handler);
>>> }
>>>
>
>
> cu
> Adrian
>
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Re: [2.6 patch] acpi/ec.c: fix use-after-free
On Wed, Oct 24, 2007 at 09:15:18PM +0400, Alexey Starikovskiy wrote:
> Adrian,
>
> commit 30c08574da0ead1a47797ce028218ce5b2de61c7 can not introduce
> use-after-free.
>
> Please check...
Commit 30c08574da0ead1a47797ce028218ce5b2de61c7 did:
<-- snip -->
list_for_each_entry(handler, >list, node) {
if (query_bit == handler->query_bit) {
list_del(>node);
kfree(handler);
- break;
}
}
<-- snip -->
If you look at the definition of list_for_each_entry() in
include/linux/list.h:
<-- snip -->
#define list_for_each_entry(pos, head, member) \
for (pos = list_entry((head)->next, typeof(*pos), member); \
prefetch(pos->member.next), >member != (head);\
pos = list_entry(pos->member.next, typeof(*pos), member))
<-- snip -->
Without the "break", "handler" is being dereferenced after it was freed.
> Regards,
> Alex.
> Adrian Bunk wrote:
> > This patch fixes a use-after-free introduced by
> > commit 30c08574da0ead1a47797ce028218ce5b2de61c7.
> >
> > Spotted by the Coverity checker.
> >
> > Signed-off-by: Adrian Bunk <[EMAIL PROTECTED]>
> >
> > ---
> > --- linux-2.6/drivers/acpi/ec.c.old 2007-10-23 19:39:47.0 +0200
> > +++ linux-2.6/drivers/acpi/ec.c 2007-10-23 19:34:55.0 +0200
> > @@ -434,11 +442,11 @@
> > EXPORT_SYMBOL_GPL(acpi_ec_add_query_handler);
> >
> > void acpi_ec_remove_query_handler(struct acpi_ec *ec, u8 query_bit)
> > {
> > - struct acpi_ec_query_handler *handler;
> > + struct acpi_ec_query_handler *handler, *tmp;
> > mutex_lock(>lock);
> > - list_for_each_entry(handler, >list, node) {
> > + list_for_each_entry_safe(handler, tmp, >list, node) {
> > if (query_bit == handler->query_bit) {
> > list_del(>node);
> > kfree(handler);
> > }
> >
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Re: [2.6 patch] acpi/ec.c: fix use-after-free
Adrian,
commit 30c08574da0ead1a47797ce028218ce5b2de61c7 can not introduce
use-after-free.
Please check...
Regards,
Alex.
Adrian Bunk wrote:
> This patch fixes a use-after-free introduced by
> commit 30c08574da0ead1a47797ce028218ce5b2de61c7.
>
> Spotted by the Coverity checker.
>
> Signed-off-by: Adrian Bunk <[EMAIL PROTECTED]>
>
> ---
> --- linux-2.6/drivers/acpi/ec.c.old 2007-10-23 19:39:47.0 +0200
> +++ linux-2.6/drivers/acpi/ec.c 2007-10-23 19:34:55.0 +0200
> @@ -434,11 +442,11 @@
> EXPORT_SYMBOL_GPL(acpi_ec_add_query_handler);
>
> void acpi_ec_remove_query_handler(struct acpi_ec *ec, u8 query_bit)
> {
> - struct acpi_ec_query_handler *handler;
> + struct acpi_ec_query_handler *handler, *tmp;
> mutex_lock(>lock);
> - list_for_each_entry(handler, >list, node) {
> + list_for_each_entry_safe(handler, tmp, >list, node) {
> if (query_bit == handler->query_bit) {
> list_del(>node);
> kfree(handler);
> }
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-acpi" in
> the body of a message to [EMAIL PROTECTED]
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[2.6 patch] acpi/ec.c: fix use-after-free
This patch fixes a use-after-free introduced by
commit 30c08574da0ead1a47797ce028218ce5b2de61c7.
Spotted by the Coverity checker.
Signed-off-by: Adrian Bunk <[EMAIL PROTECTED]>
---
--- linux-2.6/drivers/acpi/ec.c.old 2007-10-23 19:39:47.0 +0200
+++ linux-2.6/drivers/acpi/ec.c 2007-10-23 19:34:55.0 +0200
@@ -434,11 +442,11 @@
EXPORT_SYMBOL_GPL(acpi_ec_add_query_handler);
void acpi_ec_remove_query_handler(struct acpi_ec *ec, u8 query_bit)
{
- struct acpi_ec_query_handler *handler;
+ struct acpi_ec_query_handler *handler, *tmp;
mutex_lock(>lock);
- list_for_each_entry(handler, >list, node) {
+ list_for_each_entry_safe(handler, tmp, >list, node) {
if (query_bit == handler->query_bit) {
list_del(>node);
kfree(handler);
}
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[2.6 patch] acpi/ec.c: fix use-after-free
This patch fixes a use-after-free introduced by
commit 30c08574da0ead1a47797ce028218ce5b2de61c7.
Spotted by the Coverity checker.
Signed-off-by: Adrian Bunk [EMAIL PROTECTED]
---
--- linux-2.6/drivers/acpi/ec.c.old 2007-10-23 19:39:47.0 +0200
+++ linux-2.6/drivers/acpi/ec.c 2007-10-23 19:34:55.0 +0200
@@ -434,11 +442,11 @@
EXPORT_SYMBOL_GPL(acpi_ec_add_query_handler);
void acpi_ec_remove_query_handler(struct acpi_ec *ec, u8 query_bit)
{
- struct acpi_ec_query_handler *handler;
+ struct acpi_ec_query_handler *handler, *tmp;
mutex_lock(ec-lock);
- list_for_each_entry(handler, ec-list, node) {
+ list_for_each_entry_safe(handler, tmp, ec-list, node) {
if (query_bit == handler-query_bit) {
list_del(handler-node);
kfree(handler);
}
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Re: [2.6 patch] acpi/ec.c: fix use-after-free
Adrian,
commit 30c08574da0ead1a47797ce028218ce5b2de61c7 can not introduce
use-after-free.
Please check...
Regards,
Alex.
Adrian Bunk wrote:
This patch fixes a use-after-free introduced by
commit 30c08574da0ead1a47797ce028218ce5b2de61c7.
Spotted by the Coverity checker.
Signed-off-by: Adrian Bunk [EMAIL PROTECTED]
---
--- linux-2.6/drivers/acpi/ec.c.old 2007-10-23 19:39:47.0 +0200
+++ linux-2.6/drivers/acpi/ec.c 2007-10-23 19:34:55.0 +0200
@@ -434,11 +442,11 @@
EXPORT_SYMBOL_GPL(acpi_ec_add_query_handler);
void acpi_ec_remove_query_handler(struct acpi_ec *ec, u8 query_bit)
{
- struct acpi_ec_query_handler *handler;
+ struct acpi_ec_query_handler *handler, *tmp;
mutex_lock(ec-lock);
- list_for_each_entry(handler, ec-list, node) {
+ list_for_each_entry_safe(handler, tmp, ec-list, node) {
if (query_bit == handler-query_bit) {
list_del(handler-node);
kfree(handler);
}
-
To unsubscribe from this list: send the line unsubscribe linux-acpi in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Re: [2.6 patch] acpi/ec.c: fix use-after-free
On Wed, Oct 24, 2007 at 09:15:18PM +0400, Alexey Starikovskiy wrote:
Adrian,
commit 30c08574da0ead1a47797ce028218ce5b2de61c7 can not introduce
use-after-free.
Please check...
Commit 30c08574da0ead1a47797ce028218ce5b2de61c7 did:
-- snip --
list_for_each_entry(handler, ec-list, node) {
if (query_bit == handler-query_bit) {
list_del(handler-node);
kfree(handler);
- break;
}
}
-- snip --
If you look at the definition of list_for_each_entry() in
include/linux/list.h:
-- snip --
#define list_for_each_entry(pos, head, member) \
for (pos = list_entry((head)-next, typeof(*pos), member); \
prefetch(pos-member.next), pos-member != (head);\
pos = list_entry(pos-member.next, typeof(*pos), member))
-- snip --
Without the break, handler is being dereferenced after it was freed.
Regards,
Alex.
Adrian Bunk wrote:
This patch fixes a use-after-free introduced by
commit 30c08574da0ead1a47797ce028218ce5b2de61c7.
Spotted by the Coverity checker.
Signed-off-by: Adrian Bunk [EMAIL PROTECTED]
---
--- linux-2.6/drivers/acpi/ec.c.old 2007-10-23 19:39:47.0 +0200
+++ linux-2.6/drivers/acpi/ec.c 2007-10-23 19:34:55.0 +0200
@@ -434,11 +442,11 @@
EXPORT_SYMBOL_GPL(acpi_ec_add_query_handler);
void acpi_ec_remove_query_handler(struct acpi_ec *ec, u8 query_bit)
{
- struct acpi_ec_query_handler *handler;
+ struct acpi_ec_query_handler *handler, *tmp;
mutex_lock(ec-lock);
- list_for_each_entry(handler, ec-list, node) {
+ list_for_each_entry_safe(handler, tmp, ec-list, node) {
if (query_bit == handler-query_bit) {
list_del(handler-node);
kfree(handler);
}
cu
Adrian
--
Is there not promise of rain? Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
Only a promise, Lao Er said.
Pearl S. Buck - Dragon Seed
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Re: [2.6 patch] acpi/ec.c: fix use-after-free
Adrian Bunk wrote:
On Wed, Oct 24, 2007 at 09:15:18PM +0400, Alexey Starikovskiy wrote:
Adrian,
commit 30c08574da0ead1a47797ce028218ce5b2de61c7 can not introduce
use-after-free.
Please check...
Commit 30c08574da0ead1a47797ce028218ce5b2de61c7 did:
-- snip --
list_for_each_entry(handler, ec-list, node) {
if (query_bit == handler-query_bit) {
list_del(handler-node);
kfree(handler);
- break;
}
}
-- snip --
If you look at the definition of list_for_each_entry() in
include/linux/list.h:
-- snip --
#define list_for_each_entry(pos, head, member) \
for (pos = list_entry((head)-next, typeof(*pos), member); \
prefetch(pos-member.next), pos-member != (head);\
pos = list_entry(pos-member.next, typeof(*pos), member))
-- snip --
Without the break, handler is being dereferenced after it was freed.
Yes, found it minute before :(
Acked, thanks.
Regards,
Alex.
Adrian Bunk wrote:
This patch fixes a use-after-free introduced by
commit 30c08574da0ead1a47797ce028218ce5b2de61c7.
Spotted by the Coverity checker.
Signed-off-by: Adrian Bunk [EMAIL PROTECTED]
---
--- linux-2.6/drivers/acpi/ec.c.old 2007-10-23 19:39:47.0 +0200
+++ linux-2.6/drivers/acpi/ec.c 2007-10-23 19:34:55.0 +0200
@@ -434,11 +442,11 @@
EXPORT_SYMBOL_GPL(acpi_ec_add_query_handler);
void acpi_ec_remove_query_handler(struct acpi_ec *ec, u8 query_bit)
{
- struct acpi_ec_query_handler *handler;
+ struct acpi_ec_query_handler *handler, *tmp;
mutex_lock(ec-lock);
- list_for_each_entry(handler, ec-list, node) {
+ list_for_each_entry_safe(handler, tmp, ec-list, node) {
if (query_bit == handler-query_bit) {
list_del(handler-node);
kfree(handler);
}
cu
Adrian
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
