lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20130106050953.GH6919@lizard.sbx05280.losalca.wayport.net>
Date:	Sat, 5 Jan 2013 21:09:53 -0800
From:	Anton Vorontsov <anton@...msg.org>
To:	Julia Lawall <Julia.Lawall@...6.fr>
Cc:	kernel-janitors@...r.kernel.org,
	David Woodhouse <dwmw2@...radead.org>,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH] drivers/power/88pm860x_battery.c: use
 devm_request_threaded_irq

On Sat, Dec 08, 2012 at 06:16:35PM +0100, Julia Lawall wrote:
> From: Julia Lawall <Julia.Lawall@...6.fr>
> 
> devm_request_threaded_irq requests and irq that is freed when a driver
> detaches.  This patch uses devm_request_threaded_irq for irqs that are
> requested in the probe function of a platform device and are only freed in
> the remove function.
> 
> Additionally, the original code used devm_kzalloc, but kfree.  This would
> lead to a double free.  The problem was found using the following semantic
> match (http://coccinelle.lip6.fr/):
> 
> // <smpl>
> @@
> expression x,e;
> @@
> x = devm_kzalloc(...)
> ... when != x = e
> ?-kfree(x,...);
> // </smpl>
> 
> The error handling code in the probe function is also simplified in the
> cases where there is now nothing to do other than return.
> 
> Signed-off-by: Julia Lawall <Julia.Lawall@...6.fr>
> 
> ---
[....]
> @@ -994,9 +989,6 @@ static int pm860x_battery_remove(struct platform_device *pdev)
>  	struct pm860x_battery_info *info = platform_get_drvdata(pdev);
>  
>  	power_supply_unregister(&info->battery);
> -	free_irq(info->irq_batt, info);
> -	free_irq(info->irq_cc, info);
> -	kfree(info);

It is not safe to access battery ('struct power_supply') object after
_unregister() (and irq handlers will surely do). Instead of removing
free_irq(), the right fix would be to place the two calls before
_unregister().

Thanks,
Anton

>  	platform_set_drvdata(pdev, NULL);
>  	return 0;
>  }
> 
> 
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ