From: Michael Buesch <mb@bu3sch.de>
To: Eric Paris <eparis@redhat.com>
Cc: bcm43xx-dev@lists.berlios.de, linville@tuxdriver.com,
linux-wireless@vger.kernel.org
Subject: Re: [PATCH] b43: rfkill use after free
Date: Sun, 13 Jan 2008 22:28:27 +0100 [thread overview]
Message-ID: <200801132228.28234.mb@bu3sch.de> (raw)
In-Reply-To: <1200259252.4393.22.camel@localhost.localdomain>
On Sunday 13 January 2008 22:20:52 Eric Paris wrote:
> inside b43_rfkill_exit() we call rfkill_unregister() which puts the last
> reference and frees the rfkill struct. Then just 3 lines later the code
> explicitly calls rfkill_free() on the struct we already freed. This
> showed up as slub corruption (what should have been 6b was showing up as
> 6a) since the rfkill_free had dec'ed the are that should have been the
> use counter.
>
> stop using the already freed rfkill struct.
>
> =============================================================================
> BUG kmalloc-1024 (Not tainted): Poison overwritten
> -----------------------------------------------------------------------------
>
> INFO: 0xf40b89e8-0xf40b89e8. First byte 0x6a instead of 0x6b
> INFO: Allocated in rfkill_allocate+0x1b/0x8b [rfkill] age=231032011 cpu=0 pid=2403
> INFO: Freed in rfkill_release+0xd/0x19 [rfkill] age=366 cpu=0 pid=2403
> INFO: Slab 0xc1b62840 used=6 fp=0xf40b8860 flags=0x400040c3
> INFO: Object 0xf40b8860 @offset=2144 fp=0x00000000
>
> Signed-off-by: Eric Paris <eparis@redhat.com>
>
> ---
>
> drivers/net/wireless/b43/rfkill.c | 1 -
> 1 file changed, 1 deletion(-)
>
> diff --git a/drivers/net/wireless/b43/rfkill.c b/drivers/net/wireless/b43/rfkill.c
> index 98cf70c..a19be53 100644
> --- a/drivers/net/wireless/b43/rfkill.c
> +++ b/drivers/net/wireless/b43/rfkill.c
> @@ -195,6 +195,5 @@ void b43_rfkill_exit(struct b43_wldev *dev)
> rfkill_unregister(rfk->rfkill);
> input_free_polled_device(rfk->poll_dev);
> rfk->poll_dev = NULL;
> - rfkill_free(rfk->rfkill);
> rfk->rfkill = NULL;
> }
>
>
>
>
NACK.
Better patch available from Stefano.
--
Greetings Michael.
prev parent reply other threads:[~2008-01-13 21:29 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-01-13 21:20 [PATCH] b43: rfkill use after free Eric Paris
2008-01-13 21:28 ` Michael Buesch [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200801132228.28234.mb@bu3sch.de \
--to=mb@bu3sch.de \
--cc=bcm43xx-dev@lists.berlios.de \
--cc=eparis@redhat.com \
--cc=linux-wireless@vger.kernel.org \
--cc=linville@tuxdriver.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.