From: Kalle Valo <kvalo@qca.qualcomm.com>
To: Julia Lawall <Julia.Lawall@lip6.fr>
Cc: kernel-janitors@vger.kernel.org,
"John W. Linville" <linville@tuxdriver.com>,
linux-wireless@vger.kernel.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH 4/5] ath6kl/wmi.c: eliminate possible double free
Date: Fri, 16 Nov 2012 11:17:04 +0000 [thread overview]
Message-ID: <50A620B0.6020007@qca.qualcomm.com> (raw)
In-Reply-To: <1350816727-1381-5-git-send-email-Julia.Lawall@lip6.fr>
Hi Julia,
On 10/21/2012 01:52 PM, Julia Lawall wrote:
> From: Julia Lawall <Julia.Lawall@lip6.fr>
>
> This makes two changes. In ath6kl_wmi_cmd_send, a call to dev_kfree_skb on
> the skb argument is added to the initial sanity check to more completely
> establish the invariant that ath6kl_wmi_cmd_send owns its skb argument.
> Then, in ath6kl_wmi_sync_point, on failure of the call to
> ath6kl_wmi_cmd_send, the clearing of the local skb variable is moved up, so
> that the error-handling code at the end of the function does not free it
> again.
>
> A simplified version of the semantic match that finds this problem is as
> follows: (http://coccinelle.lip6.fr/)
>
> // <smpl>
> @r@
> identifier f,free,a;
> parameter list[n] ps;
> type T;
> expression e;
> @@
>
> f(ps,T a,...) {
> ... when any
> when != a = e
> if(...) { ... free(a); ... return ...; }
> ... when any
> }
>
> @@
> identifier r.f,r.free;
> expression x,a;
> expression list[r.n] xs;
> @@
>
> * x = f(xs,a,...);
> if (...) { ... free(a); ... return ...; }
> // </smpl>
>
> Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
I think this patch which is commited to ath6kl.git has fixed this.
commit 0616dc1f2bef563d7916c0dcedbb1bff7d9bd80b
Author: Vasanthakumar Thiagarajan <vthiagar@qca.qualcomm.com>
Date: Tue Aug 14 10:10:33 2012 +0530
ath6kl: Fix potential skb double free in ath6kl_wmi_sync_point()
skb given to ath6kl_control_tx() is owned by ath6kl_control_tx().
Calling function should not free the skb for error cases.
This is found during code review.
kvalo: fix a checkpatch warning in ath6kl_wmi_cmd_send()
Signed-off-by: Vasanthakumar Thiagarajan <vthiagar@qca.qualcomm.com>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
https://github.com/kvalo/ath6kl/commit/0616dc1f2bef563d7916c0dcedbb1bff7d9bd80b
If you have the time, I would appreciate if you could take a look and
confirm.
Kalle
WARNING: multiple messages have this Message-ID (diff)
From: Kalle Valo <kvalo@qca.qualcomm.com>
To: Julia Lawall <Julia.Lawall@lip6.fr>
Cc: <kernel-janitors@vger.kernel.org>,
"John W. Linville" <linville@tuxdriver.com>,
<linux-wireless@vger.kernel.org>, <netdev@vger.kernel.org>,
<linux-kernel@vger.kernel.org>
Subject: Re: [PATCH 4/5] ath6kl/wmi.c: eliminate possible double free
Date: Fri, 16 Nov 2012 13:17:04 +0200 [thread overview]
Message-ID: <50A620B0.6020007@qca.qualcomm.com> (raw)
In-Reply-To: <1350816727-1381-5-git-send-email-Julia.Lawall@lip6.fr>
Hi Julia,
On 10/21/2012 01:52 PM, Julia Lawall wrote:
> From: Julia Lawall <Julia.Lawall@lip6.fr>
>
> This makes two changes. In ath6kl_wmi_cmd_send, a call to dev_kfree_skb on
> the skb argument is added to the initial sanity check to more completely
> establish the invariant that ath6kl_wmi_cmd_send owns its skb argument.
> Then, in ath6kl_wmi_sync_point, on failure of the call to
> ath6kl_wmi_cmd_send, the clearing of the local skb variable is moved up, so
> that the error-handling code at the end of the function does not free it
> again.
>
> A simplified version of the semantic match that finds this problem is as
> follows: (http://coccinelle.lip6.fr/)
>
> // <smpl>
> @r@
> identifier f,free,a;
> parameter list[n] ps;
> type T;
> expression e;
> @@
>
> f(ps,T a,...) {
> ... when any
> when != a = e
> if(...) { ... free(a); ... return ...; }
> ... when any
> }
>
> @@
> identifier r.f,r.free;
> expression x,a;
> expression list[r.n] xs;
> @@
>
> * x = f(xs,a,...);
> if (...) { ... free(a); ... return ...; }
> // </smpl>
>
> Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
I think this patch which is commited to ath6kl.git has fixed this.
commit 0616dc1f2bef563d7916c0dcedbb1bff7d9bd80b
Author: Vasanthakumar Thiagarajan <vthiagar@qca.qualcomm.com>
Date: Tue Aug 14 10:10:33 2012 +0530
ath6kl: Fix potential skb double free in ath6kl_wmi_sync_point()
skb given to ath6kl_control_tx() is owned by ath6kl_control_tx().
Calling function should not free the skb for error cases.
This is found during code review.
kvalo: fix a checkpatch warning in ath6kl_wmi_cmd_send()
Signed-off-by: Vasanthakumar Thiagarajan <vthiagar@qca.qualcomm.com>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
https://github.com/kvalo/ath6kl/commit/0616dc1f2bef563d7916c0dcedbb1bff7d9bd80b
If you have the time, I would appreciate if you could take a look and
confirm.
Kalle
next prev parent reply other threads:[~2012-11-16 11:17 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-10-21 10:52 [PATCH 0/5] eliminate possible double free Julia Lawall
2012-10-21 10:52 ` Julia Lawall
2012-10-21 10:52 ` [PATCH 1/5] sound/isa/opti9xx/miro.c: " Julia Lawall
2012-10-21 10:52 ` Julia Lawall
2012-10-21 10:52 ` Julia Lawall
2012-10-21 12:18 ` Takashi Iwai
2012-10-21 12:18 ` Takashi Iwai
2012-10-21 10:52 ` [PATCH 2/5] drivers/net/wireless/ti/wlcore/main.c: eliminate possible double power off Julia Lawall
2012-10-21 10:52 ` Julia Lawall
2012-11-16 18:18 ` Luciano Coelho
2012-11-16 18:18 ` Luciano Coelho
2012-10-21 10:52 ` [PATCH 3/5] arch/powerpc/kernel/rtas_flash.c: eliminate possible double free Julia Lawall
2012-10-21 10:52 ` Julia Lawall
2012-10-21 10:52 ` Julia Lawall
2012-10-21 10:52 ` [PATCH 4/5] ath6kl/wmi.c: " Julia Lawall
2012-10-21 10:52 ` Julia Lawall
2012-11-16 11:17 ` Kalle Valo [this message]
2012-11-16 11:17 ` Kalle Valo
2012-10-21 10:52 ` [PATCH 5/5] drivers/iio/industrialio-event.c: " Julia Lawall
2012-10-21 10:52 ` Julia Lawall
2012-11-02 9:39 ` Jonathan Cameron
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=50A620B0.6020007@qca.qualcomm.com \
--to=kvalo@qca.qualcomm.com \
--cc=Julia.Lawall@lip6.fr \
--cc=kernel-janitors@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=linville@tuxdriver.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.