[PATCH] b43: rfkill use after free

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Eric Paris <eparis@redhat.com>
To: bcm43xx-dev@lists.berlios.de
Cc: mb@bu3sch.de, linville@tuxdriver.com, linux-wireless@vger.kernel.org
Subject: [PATCH] b43: rfkill use after free
Date: Sun, 13 Jan 2008 16:20:52 -0500	[thread overview]
Message-ID: <1200259252.4393.22.camel@localhost.localdomain> (raw)

inside b43_rfkill_exit() we call rfkill_unregister() which puts the last
reference and frees the rfkill struct.  Then just 3 lines later the code
explicitly calls rfkill_free() on the struct we already freed.  This
showed up as slub corruption (what should have been 6b was showing up as
6a) since the rfkill_free had dec'ed the are that should have been the
use counter.

stop using the already freed rfkill struct.

=============================================================================
BUG kmalloc-1024 (Not tainted): Poison overwritten
-----------------------------------------------------------------------------

INFO: 0xf40b89e8-0xf40b89e8. First byte 0x6a instead of 0x6b
INFO: Allocated in rfkill_allocate+0x1b/0x8b [rfkill] age=231032011 cpu=0 pid=2403
INFO: Freed in rfkill_release+0xd/0x19 [rfkill] age=366 cpu=0 pid=2403
INFO: Slab 0xc1b62840 used=6 fp=0xf40b8860 flags=0x400040c3
INFO: Object 0xf40b8860 @offset=2144 fp=0x00000000

Signed-off-by: Eric Paris <eparis@redhat.com>

---

 drivers/net/wireless/b43/rfkill.c |    1 -
 1 file changed, 1 deletion(-)

diff --git a/drivers/net/wireless/b43/rfkill.c b/drivers/net/wireless/b43/rfkill.c
index 98cf70c..a19be53 100644
--- a/drivers/net/wireless/b43/rfkill.c
+++ b/drivers/net/wireless/b43/rfkill.c
@@ -195,6 +195,5 @@ void b43_rfkill_exit(struct b43_wldev *dev)
 	rfkill_unregister(rfk->rfkill);
 	input_free_polled_device(rfk->poll_dev);
 	rfk->poll_dev = NULL;
-	rfkill_free(rfk->rfkill);
 	rfk->rfkill = NULL;
 }

next             reply	other threads:[~2008-01-13 21:21 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-01-13 21:20 Eric Paris [this message]
2008-01-13 21:28 ` [PATCH] b43: rfkill use after free Michael Buesch

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:98cf70c dfblob:a19be53 )
 OR (
bs:"[PATCH] b43: rfkill use after free" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1200259252.4393.22.camel@localhost.localdomain \
    --to=eparis@redhat.com \
    --cc=bcm43xx-dev@lists.berlios.de \
    --cc=linux-wireless@vger.kernel.org \
    --cc=linville@tuxdriver.com \
    --cc=mb@bu3sch.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.