[bug report] rapidio: add mport char device driver

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Dan Carpenter <error27@gmail.com>
To: Matt Porter <mporter@kernel.crashing.org>,
	Alexandre Bounine <alex.bou9@gmail.com>
Cc: kernel-janitors@vger.kernel.org
Subject: [bug report] rapidio: add mport char device driver
Date: Tue, 15 Nov 2022 16:17:56 +0300	[thread overview]
Message-ID: <Y3N/EaYqACc7bPCc@kili> (raw)

Hello Alexandre Bounine,

The patch e8de370188d0: "rapidio: add mport char device driver" from
Mar 22, 2016, leads to the following Smatch static checker warning:

	drivers/rapidio/devices/rio_mport_cdev.c:2185 mport_mm_close()
	error: dereferencing freed memory 'map'

drivers/rapidio/devices/rio_mport_cdev.c
    2178 static void mport_mm_close(struct vm_area_struct *vma)
    2179 {
    2180         struct rio_mport_mapping *map = vma->vm_private_data;
    2181 
    2182         rmcd_debug(MMAP, "%pad", &map->phys_addr);
    2183         mutex_lock(&map->md->buf_mutex);
    2184         kref_put(&map->ref, mport_release_mapping);
                                     ^^^^^^^^^^^^^^^^^^^^^
The mport_release_mapping() function frees "map".

--> 2185         mutex_unlock(&map->md->buf_mutex);
                               ^^^
Use after free.

    2186 }

regards,
dan carpenter

next             reply	other threads:[~2022-11-15 13:18 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-11-15 13:17 Dan Carpenter [this message]
2022-11-15 13:25 ` [bug report] rapidio: add mport char device driver Dan Carpenter
  -- strict thread matches above, loose matches on Subject: below --
2019-05-28 11:38 Dan Carpenter

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Y3N/EaYqACc7bPCc@kili \
    --to=error27@gmail.com \
    --cc=alex.bou9@gmail.com \
    --cc=kernel-janitors@vger.kernel.org \
    --cc=mporter@kernel.crashing.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.