lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 23 Sep 2017 12:57:33 +0200 (CEST) From: Stefan Wahren <stefan.wahren@...e.com> To: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Cc: Aishwarya Pant <aishpant@...il.com>, Phil Elwell <phil@...pberrypi.org>, Eric Anholt <eric@...olt.net>, linux-kernel@...r.kernel.org, devel@...verdev.osuosl.org, Dan Carpenter <dan.carpenter@...cle.com>, linux-rpi-kernel@...ts.infradead.org Subject: Re: [PATCH v2] staging: bcm2835-audio: Fix memory corruption Hi Greg, > Phil Elwell <phil@...pberrypi.org> hat am 11. August 2017 um 12:20 geschrieben: > > > The previous commit (0adbfd46) fixed a memory leak but also freed a > block in the success case, causing a stale pointer to be used with > potentially fatal results. Only free the vchi_instance block in the > case that vchi_connect fails; once connected, the instance is > retained for subsequent connections. > > Simplifying the code by removing a bunch of gotos and returning errors > directly. > > Signed-off-by: Phil Elwell <phil@...pberrypi.org> > Fixes: 0adbfd4694c2 ("staging: bcm2835-audio: fix memory leak in bcm2835_audio_open_connection()") can you still apply this patch or do you need a resend? > --- > [Resend with v2 in subject] > v2: Simplified following feedback from Dan Carpenter. > --- > .../vc04_services/bcm2835-audio/bcm2835-vchiq.c | 19 +++++++------------ > 1 file changed, 7 insertions(+), 12 deletions(-) > > diff --git a/drivers/staging/vc04_services/bcm2835-audio/bcm2835-vchiq.c b/drivers/staging/vc04_services/bcm2835-audio/bcm2835-vchiq.c > index 5f3d8f2..4be864d 100644 > --- a/drivers/staging/vc04_services/bcm2835-audio/bcm2835-vchiq.c > +++ b/drivers/staging/vc04_services/bcm2835-audio/bcm2835-vchiq.c > @@ -390,8 +390,7 @@ static int bcm2835_audio_open_connection(struct bcm2835_alsa_stream *alsa_stream > __func__, instance); > instance->alsa_stream = alsa_stream; > alsa_stream->instance = instance; > - ret = 0; // xxx todo -1; > - goto err_free_mem; > + return 0; > } > > /* Initialize and create a VCHI connection */ > @@ -401,16 +400,15 @@ static int bcm2835_audio_open_connection(struct bcm2835_alsa_stream *alsa_stream > LOG_ERR("%s: failed to initialise VCHI instance (ret=%d)\n", > __func__, ret); > > - ret = -EIO; > - goto err_free_mem; > + return -EIO; > } > ret = vchi_connect(NULL, 0, vchi_instance); > if (ret) { > LOG_ERR("%s: failed to connect VCHI instance (ret=%d)\n", > __func__, ret); > > - ret = -EIO; > - goto err_free_mem; > + kfree(vchi_instance); > + return -EIO; > } > initted = 1; > } > @@ -421,19 +419,16 @@ static int bcm2835_audio_open_connection(struct bcm2835_alsa_stream *alsa_stream > if (IS_ERR(instance)) { > LOG_ERR("%s: failed to initialize audio service\n", __func__); > > - ret = PTR_ERR(instance); > - goto err_free_mem; > + /* vchi_instance is retained for use the next time. */ > + return PTR_ERR(instance); > } > > instance->alsa_stream = alsa_stream; > alsa_stream->instance = instance; > > LOG_DBG(" success !\n"); > - ret = 0; > -err_free_mem: > - kfree(vchi_instance); > > - return ret; > + return 0; > } > > int bcm2835_audio_open(struct bcm2835_alsa_stream *alsa_stream) > -- > 1.9.1 >
Powered by blists - more mailing lists