From: Axel Lin <axel.lin@gmail.com>
To: linux-kernel <linux-kernel@vger.kernel.org>
Cc: Carlos Corbacho <carlos@strangeworlds.co.uk>,
Matthew Garrett <mjg@redhat.com>,
Thomas Renninger <trenn@suse.de>,
Alan Jenkins <alan-jenkins@tuffmail.co.uk>,
platform-driver-x86@vger.kernel.org
Subject: [PATCH v2] acer-wmi: fix memory leaks in wmab_execute error path
Date: Fri, 09 Jul 2010 12:37:36 +0800 [thread overview]
Message-ID: <1278650256.26099.4.camel@mola> (raw)
When acpi_evaluate_object() is passed ACPI_ALLOCATE_BUFFER,
the caller must kfree the returned buffer if AE_OK is returned.
Call Trace:
wmab_execute
-> wmi_evaluate_method
-> acpi_evaluate_object
Thus if callers of wmab_execute() pass ACPI_ALLOCATE_BUFFER,
the return buffer must be kfreed if wmab_execute return AE_OK.
Signed-off-by: Axel Lin <axel.lin@gmail.com>
---
drivers/platform/x86/acer-wmi.c | 11 ++++++++++-
1 files changed, 10 insertions(+), 1 deletions(-)
diff --git a/drivers/platform/x86/acer-wmi.c b/drivers/platform/x86/acer-wmi.c
index 1ea6c43..3f44446 100644
--- a/drivers/platform/x86/acer-wmi.c
+++ b/drivers/platform/x86/acer-wmi.c
@@ -555,6 +555,7 @@ static acpi_status AMW0_find_mailled(void)
obj->buffer.length == sizeof(struct wmab_ret)) {
ret = *((struct wmab_ret *) obj->buffer.pointer);
} else {
+ kfree(out.pointer);
return AE_ERROR;
}
@@ -598,6 +599,7 @@ static acpi_status AMW0_set_capabilities(void)
obj->buffer.length == sizeof(struct wmab_ret)) {
ret = *((struct wmab_ret *) obj->buffer.pointer);
} else {
+ kfree(out.pointer);
return AE_ERROR;
}
@@ -607,15 +609,22 @@ static acpi_status AMW0_set_capabilities(void)
args.ebx = 2 << 8;
args.ebx |= ACER_AMW0_BLUETOOTH_MASK;
+ /*
+ * It's ok to use existing buffer for next wmab_execute call.
+ * But we need to kfree(out.pointer) if next wmab_execute fail.
+ */
status = wmab_execute(&args, &out);
- if (ACPI_FAILURE(status))
+ if (ACPI_FAILURE(status)) {
+ kfree(out.pointer);
return status;
+ }
obj = (union acpi_object *) out.pointer;
if (obj && obj->type == ACPI_TYPE_BUFFER
&& obj->buffer.length == sizeof(struct wmab_ret)) {
ret = *((struct wmab_ret *) obj->buffer.pointer);
} else {
+ kfree(out.pointer);
return AE_ERROR;
}
--
1.5.4.3
next reply other threads:[~2010-07-09 4:37 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-07-09 4:37 Axel Lin [this message]
2010-07-13 1:03 ` [PATCH v2] acer-wmi: fix memory leaks in wmab_execute error path Axel Lin
2010-07-13 1:35 ` Andrew Morton
2010-07-13 2:14 ` Axel Lin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1278650256.26099.4.camel@mola \
--to=axel.lin@gmail.com \
--cc=alan-jenkins@tuffmail.co.uk \
--cc=carlos@strangeworlds.co.uk \
--cc=linux-kernel@vger.kernel.org \
--cc=mjg@redhat.com \
--cc=platform-driver-x86@vger.kernel.org \
--cc=trenn@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.