lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 6 May 2015 19:00:56 -0300 From: Fabio Estevam <festevam@...il.com> To: Alexey Khoroshilov <khoroshilov@...ras.ru> Cc: Jonathan Cameron <jic23@...nel.org>, Hartmut Knaack <knaack.h@....de>, Lars-Peter Clausen <lars@...afoo.de>, Peter Meerwald <pmeerw@...erw.net>, linux-iio@...r.kernel.org, linux-kernel <linux-kernel@...r.kernel.org>, ldv-project@...uxtesting.org Subject: Re: [PATCH] iio: hid-sensors: Fix memory leak on failure path in hid_prox_probe() On Wed, May 6, 2015 at 6:48 PM, Alexey Khoroshilov <khoroshilov@...ras.ru> wrote: > If prox_parse_report() fails, memory allocated for channels is not > deallocated, since it is still in local variable channels > while kfree() is called with indio_dev->channels. > > Found by Linux Driver Verification project (linuxtesting.org). > > Signed-off-by: Alexey Khoroshilov <khoroshilov@...ras.ru> > --- > drivers/iio/light/hid-sensor-prox.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/iio/light/hid-sensor-prox.c b/drivers/iio/light/hid-sensor-prox.c > index 91ecc46ffeaa..d0d188108a11 100644 > --- a/drivers/iio/light/hid-sensor-prox.c > +++ b/drivers/iio/light/hid-sensor-prox.c > @@ -281,8 +281,9 @@ static int hid_prox_probe(struct platform_device *pdev) > ret = prox_parse_report(pdev, hsdev, channels, > HID_USAGE_SENSOR_PROX, prox_state); > if (ret) { > + kfree(channels); > dev_err(&pdev->dev, "failed to setup attributes\n"); > - goto error_free_dev_mem; > + return ret; Then the other calls to error_free_dev_mem will also miss to call 'kfree(channels)'. What about this fix instead? --- a/drivers/iio/light/hid-sensor-prox.c +++ b/drivers/iio/light/hid-sensor-prox.c @@ -332,7 +332,7 @@ error_remove_trigger: error_unreg_buffer_funcs: iio_triggered_buffer_cleanup(indio_dev); error_free_dev_mem: - kfree(indio_dev->channels); + kfree(channels); return ret; } Regards, Fabio Estevam -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists