| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20120809135416.GA13100@localhost>
Date: Thu, 9 Aug 2012 21:54:16 +0800
From: Fengguang Wu <fengguang.wu@...el.com>
To: Mauro Carvalho Chehab <mchehab@...hat.com>
Cc: Dave Peterson <dsp@...l.gov>, kernel-janitors@...r.kernel.org,
Doug Thompson <dougthompson@...ssion.com>,
linux-edac@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: possible double free in edac_mc_alloc()
Reply-To:
User-Agent: Heirloom mailx 12.5 6/20/10
Hi,
coccinelle warns about:
+ drivers/edac/edac_mc.c:429:9-23: ERROR: reference preceded by free on line 429
and that line does look strange: the 'i' seems like a temporary value
used in previous loops, and it won't change at all in the current
loop. Which means the same mci->csrows[i] get freed once and again.
It might also do double free for the previous kfree(csr) line.
vim +429 drivers/edac/edac_mc.c
416 if (mci->dimms) {
417 for (i = 0; i < tot_dimms; i++)
418 kfree(mci->dimms[i]);
419 kfree(mci->dimms);
420 }
421 if (mci->csrows) {
422 for (chn = 0; chn < tot_channels; chn++) {
423 csr = mci->csrows[chn];
424 if (csr) {
425 for (chn = 0; chn < tot_channels; chn++)
426 kfree(csr->channels[chn]);
427 kfree(csr);
428 }
> 429 kfree(mci->csrows[i]);
430 }
431 kfree(mci->csrows);
432 }
---
0-DAY kernel build testing backend Open Source Technology Centre
Fengguang Wu <wfg@...ux.intel.com> Intel Corporation
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists