[patch -next] input: adxl34x: fix leak and use after free

linux-input.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [patch -next] input: adxl34x: fix leak and use after free
@ 2010-07-22  8:55 Dan Carpenter
  2010-07-23  6:44 ` Dmitry Torokhov
  0 siblings, 1 reply; 2+ messages in thread
From: Dan Carpenter @ 2010-07-22  8:55 UTC (permalink / raw)
  To: Dmitry Torokhov
  Cc: Mike Frysinger, Michael Hennerich, Chris Verges, Luotao Fu,
	linux-input, kernel-janitors

These are a couple smatch issues.  In the original code, if only one of
the allocation fails we leak the other variable so we should goto
out_free_mem.

Also there was a use after free if debugging was enabled and so I moved
the kfree() down a line.

Signed-off-by: Dan Carpenter <error27@gmail.com>

diff --git a/drivers/input/misc/adxl34x.c b/drivers/input/misc/adxl34x.c
index bb9c10f..e925d12 100644
--- a/drivers/input/misc/adxl34x.c
+++ b/drivers/input/misc/adxl34x.c
@@ -709,7 +709,7 @@ struct adxl34x *adxl34x_probe(struct device *dev, int irq,
 	input_dev = input_allocate_device();
 	if (!ac || !input_dev) {
 		err = -ENOMEM;
-		goto err_out;
+		goto err_free_mem;
 	}
 
 	ac->fifo_delay = fifo_delay_default;
@@ -904,9 +904,9 @@ int adxl34x_remove(struct adxl34x *ac)
 	sysfs_remove_group(&ac->dev->kobj, &adxl34x_attr_group);
 	free_irq(ac->irq, ac);
 	input_unregister_device(ac->input);
+	dev_dbg(ac->dev, "unregistered accelerometer\n");
 	kfree(ac);
 
-	dev_dbg(ac->dev, "unregistered accelerometer\n");
 	return 0;
 }
 EXPORT_SYMBOL_GPL(adxl34x_remove);

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [patch -next] input: adxl34x: fix leak and use after free
  2010-07-22  8:55 [patch -next] input: adxl34x: fix leak and use after free Dan Carpenter
@ 2010-07-23  6:44 ` Dmitry Torokhov
  0 siblings, 0 replies; 2+ messages in thread
From: Dmitry Torokhov @ 2010-07-23  6:44 UTC (permalink / raw)
  To: Dan Carpenter
  Cc: Mike Frysinger, Michael Hennerich, Chris Verges, Luotao Fu,
	linux-input, kernel-janitors

On Thu, Jul 22, 2010 at 10:55:52AM +0200, Dan Carpenter wrote:
> These are a couple smatch issues.  In the original code, if only one of
> the allocation fails we leak the other variable so we should goto
> out_free_mem.
> 
> Also there was a use after free if debugging was enabled and so I moved
> the kfree() down a line.
> 
> Signed-off-by: Dan Carpenter <error27@gmail.com>
> 

Applied, thanks Dan.

> diff --git a/drivers/input/misc/adxl34x.c b/drivers/input/misc/adxl34x.c
> index bb9c10f..e925d12 100644
> --- a/drivers/input/misc/adxl34x.c
> +++ b/drivers/input/misc/adxl34x.c
> @@ -709,7 +709,7 @@ struct adxl34x *adxl34x_probe(struct device *dev, int irq,
>  	input_dev = input_allocate_device();
>  	if (!ac || !input_dev) {
>  		err = -ENOMEM;
> -		goto err_out;
> +		goto err_free_mem;
>  	}
>  
>  	ac->fifo_delay = fifo_delay_default;
> @@ -904,9 +904,9 @@ int adxl34x_remove(struct adxl34x *ac)
>  	sysfs_remove_group(&ac->dev->kobj, &adxl34x_attr_group);
>  	free_irq(ac->irq, ac);
>  	input_unregister_device(ac->input);
> +	dev_dbg(ac->dev, "unregistered accelerometer\n");
>  	kfree(ac);
>  
> -	dev_dbg(ac->dev, "unregistered accelerometer\n");
>  	return 0;
>  }
>  EXPORT_SYMBOL_GPL(adxl34x_remove);

-- 
Dmitry

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2010-07-23  6:44 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-07-22  8:55 [patch -next] input: adxl34x: fix leak and use after free Dan Carpenter
2010-07-23  6:44 ` Dmitry Torokhov

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).