linux-acpi.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* acpi_battery_add(): use-after-free
@ 2007-07-29 15:00 Adrian Bunk
  2007-07-30 22:34 ` Andrew Morton
  0 siblings, 1 reply; 2+ messages in thread
From: Adrian Bunk @ 2007-07-29 15:00 UTC (permalink / raw)
  To: lenb; +Cc: linux-acpi, linux-kernel

The Coverity checker spotted the following use-after-free in 
acpi_battery_add():

<--  snip  -->

...
static int acpi_battery_add(struct acpi_device *device)
{
...
        if (result) {
                acpi_battery_remove_fs(device);
                kfree(battery);
        }

        mutex_unlock(&battery->mutex);
...

<--  snip  -->

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed


^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: acpi_battery_add(): use-after-free
  2007-07-29 15:00 acpi_battery_add(): use-after-free Adrian Bunk
@ 2007-07-30 22:34 ` Andrew Morton
  0 siblings, 0 replies; 2+ messages in thread
From: Andrew Morton @ 2007-07-30 22:34 UTC (permalink / raw)
  To: Adrian Bunk; +Cc: lenb, linux-acpi, linux-kernel

On Sun, 29 Jul 2007 17:00:46 +0200
Adrian Bunk <bunk@stusta.de> wrote:

> The Coverity checker spotted the following use-after-free in 
> acpi_battery_add():
> 
> <--  snip  -->
> 
> ...
> static int acpi_battery_add(struct acpi_device *device)
> {
> ...
>         if (result) {
>                 acpi_battery_remove_fs(device);
>                 kfree(battery);
>         }
> 
>         mutex_unlock(&battery->mutex);
> ...
> 
> <--  snip  -->
> 

This?

--- a/drivers/acpi/battery.c~acpi_battery_add-use-after-free
+++ a/drivers/acpi/battery.c
@@ -931,13 +931,12 @@ static int acpi_battery_add(struct acpi_
 
       end:
 
+	mutex_unlock(&battery->mutex);
 	if (result) {
 		acpi_battery_remove_fs(device);
 		kfree(battery);
 	}
 
-	mutex_unlock(&battery->mutex);
-
 	return result;
 }
 
_


^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2007-07-30 22:34 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-07-29 15:00 acpi_battery_add(): use-after-free Adrian Bunk
2007-07-30 22:34 ` Andrew Morton

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).