[2.6 patch] acpi/ec.c: fix use-after-free

[2.6 patch] acpi/ec.c: fix use-after-free

[Adrian Bunk]

This patch fixes a use-after-free introduced by
commit 30c08574da0ead1a47797ce028218ce5b2de61c7.

Spotted by the Coverity checker.

Signed-off-by: Adrian Bunk <bunk@kernel.org>

---
--- linux-2.6/drivers/acpi/ec.c.old	2007-10-23 19:39:47.000000000 +0200
+++ linux-2.6/drivers/acpi/ec.c	2007-10-23 19:34:55.000000000 +0200
@@ -434,11 +442,11 @@
 EXPORT_SYMBOL_GPL(acpi_ec_add_query_handler);
 
 void acpi_ec_remove_query_handler(struct acpi_ec *ec, u8 query_bit)
 {
-	struct acpi_ec_query_handler *handler;
+	struct acpi_ec_query_handler *handler, *tmp;
 	mutex_lock(&ec->lock);
-	list_for_each_entry(handler, &ec->list, node) {
+	list_for_each_entry_safe(handler, tmp, &ec->list, node) {
 		if (query_bit == handler->query_bit) {
 			list_del(&handler->node);
 			kfree(handler);
 		}

Re: [2.6 patch] acpi/ec.c: fix use-after-free

[Alexey Starikovskiy]

Adrian,

commit 30c08574da0ead1a47797ce028218ce5b2de61c7 can not introduce use-after-free.

Please check...

Regards,
Alex.
Adrian Bunk wrote:
> This patch fixes a use-after-free introduced by
> commit 30c08574da0ead1a47797ce028218ce5b2de61c7.
> 
> Spotted by the Coverity checker.
> 
> Signed-off-by: Adrian Bunk <bunk@kernel.org>
> 
> ---
> --- linux-2.6/drivers/acpi/ec.c.old	2007-10-23 19:39:47.000000000 +0200
> +++ linux-2.6/drivers/acpi/ec.c	2007-10-23 19:34:55.000000000 +0200
> @@ -434,11 +442,11 @@
>  EXPORT_SYMBOL_GPL(acpi_ec_add_query_handler);
>  
>  void acpi_ec_remove_query_handler(struct acpi_ec *ec, u8 query_bit)
>  {
> -	struct acpi_ec_query_handler *handler;
> +	struct acpi_ec_query_handler *handler, *tmp;
>  	mutex_lock(&ec->lock);
> -	list_for_each_entry(handler, &ec->list, node) {
> +	list_for_each_entry_safe(handler, tmp, &ec->list, node) {
>  		if (query_bit == handler->query_bit) {
>  			list_del(&handler->node);
>  			kfree(handler);
>  		}
> 
> -
> To unsubscribe from this list: send the line "unsubscribe linux-acpi" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

Re: [2.6 patch] acpi/ec.c: fix use-after-free

[Adrian Bunk]

On Wed, Oct 24, 2007 at 09:15:18PM +0400, Alexey Starikovskiy wrote:
> Adrian,
> 
> commit 30c08574da0ead1a47797ce028218ce5b2de61c7 can not introduce use-after-free.
> 
> Please check...


Commit 30c08574da0ead1a47797ce028218ce5b2de61c7 did:

<--  snip  -->

 	list_for_each_entry(handler, &ec->list, node) {
                if (query_bit == handler->query_bit) {
                        list_del(&handler->node);
                        kfree(handler);
-                       break;
                }
	}

<--  snip  -->


If you look at the definition of list_for_each_entry() in 
include/linux/list.h:

<--  snip  -->

#define list_for_each_entry(pos, head, member)                          \
        for (pos = list_entry((head)->next, typeof(*pos), member);      \
             prefetch(pos->member.next), &pos->member != (head);        \
             pos = list_entry(pos->member.next, typeof(*pos), member))
                              ^^^^^^^^^^^^^^^^

<--  snip  -->


Without the "break", "handler" is being dereferenced after it was freed.


> Regards,
> Alex.
> Adrian Bunk wrote:
> > This patch fixes a use-after-free introduced by
> > commit 30c08574da0ead1a47797ce028218ce5b2de61c7.
> > 
> > Spotted by the Coverity checker.
> > 
> > Signed-off-by: Adrian Bunk <bunk@kernel.org>
> > 
> > ---
> > --- linux-2.6/drivers/acpi/ec.c.old	2007-10-23 19:39:47.000000000 +0200
> > +++ linux-2.6/drivers/acpi/ec.c	2007-10-23 19:34:55.000000000 +0200
> > @@ -434,11 +442,11 @@
> >  EXPORT_SYMBOL_GPL(acpi_ec_add_query_handler);
> >  
> >  void acpi_ec_remove_query_handler(struct acpi_ec *ec, u8 query_bit)
> >  {
> > -	struct acpi_ec_query_handler *handler;
> > +	struct acpi_ec_query_handler *handler, *tmp;
> >  	mutex_lock(&ec->lock);
> > -	list_for_each_entry(handler, &ec->list, node) {
> > +	list_for_each_entry_safe(handler, tmp, &ec->list, node) {
> >  		if (query_bit == handler->query_bit) {
> >  			list_del(&handler->node);
> >  			kfree(handler);
> >  		}
> > 


cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

Re: [2.6 patch] acpi/ec.c: fix use-after-free

[Alexey Starikovskiy]

Adrian Bunk wrote:
> On Wed, Oct 24, 2007 at 09:15:18PM +0400, Alexey Starikovskiy wrote:
>> Adrian,
>>
>> commit 30c08574da0ead1a47797ce028218ce5b2de61c7 can not introduce use-after-free.
>>
>> Please check...
> 
> 
> Commit 30c08574da0ead1a47797ce028218ce5b2de61c7 did:
> 
> <--  snip  -->
> 
>  	list_for_each_entry(handler, &ec->list, node) {
>                 if (query_bit == handler->query_bit) {
>                         list_del(&handler->node);
>                         kfree(handler);
> -                       break;
>                 }
> 	}
> 
> <--  snip  -->
> 
> 
> If you look at the definition of list_for_each_entry() in 
> include/linux/list.h:
> 
> <--  snip  -->
> 
> #define list_for_each_entry(pos, head, member)                          \
>         for (pos = list_entry((head)->next, typeof(*pos), member);      \
>              prefetch(pos->member.next), &pos->member != (head);        \
>              pos = list_entry(pos->member.next, typeof(*pos), member))
>                               ^^^^^^^^^^^^^^^^
> 
> <--  snip  -->
> 
> 
> Without the "break", "handler" is being dereferenced after it was freed.
Yes, found it minute before :( 
Acked, thanks.
> 
> 
>> Regards,
>> Alex.
>> Adrian Bunk wrote:
>>> This patch fixes a use-after-free introduced by
>>> commit 30c08574da0ead1a47797ce028218ce5b2de61c7.
>>>
>>> Spotted by the Coverity checker.
>>>
>>> Signed-off-by: Adrian Bunk <bunk@kernel.org>
>>>
>>> ---
>>> --- linux-2.6/drivers/acpi/ec.c.old	2007-10-23 19:39:47.000000000 +0200
>>> +++ linux-2.6/drivers/acpi/ec.c	2007-10-23 19:34:55.000000000 +0200
>>> @@ -434,11 +442,11 @@
>>>  EXPORT_SYMBOL_GPL(acpi_ec_add_query_handler);
>>>  
>>>  void acpi_ec_remove_query_handler(struct acpi_ec *ec, u8 query_bit)
>>>  {
>>> -	struct acpi_ec_query_handler *handler;
>>> +	struct acpi_ec_query_handler *handler, *tmp;
>>>  	mutex_lock(&ec->lock);
>>> -	list_for_each_entry(handler, &ec->list, node) {
>>> +	list_for_each_entry_safe(handler, tmp, &ec->list, node) {
>>>  		if (query_bit == handler->query_bit) {
>>>  			list_del(&handler->node);
>>>  			kfree(handler);
>>>  		}
>>>
> 
> 
> cu
> Adrian
> 

Re: [2.6 patch] acpi/ec.c: fix use-after-free

[Len Brown]

Applied.

thanks,
-Len


On Wednesday 24 October 2007 13:30, Alexey Starikovskiy wrote:
> Adrian Bunk wrote:
> > On Wed, Oct 24, 2007 at 09:15:18PM +0400, Alexey Starikovskiy wrote:
> >> Adrian,
> >>
> >> commit 30c08574da0ead1a47797ce028218ce5b2de61c7 can not introduce use-after-free.
> >>
> >> Please check...
> > 
> > 
> > Commit 30c08574da0ead1a47797ce028218ce5b2de61c7 did:
> > 
> > <--  snip  -->
> > 
> >  	list_for_each_entry(handler, &ec->list, node) {
> >                 if (query_bit == handler->query_bit) {
> >                         list_del(&handler->node);
> >                         kfree(handler);
> > -                       break;
> >                 }
> > 	}
> > 
> > <--  snip  -->
> > 
> > 
> > If you look at the definition of list_for_each_entry() in 
> > include/linux/list.h:
> > 
> > <--  snip  -->
> > 
> > #define list_for_each_entry(pos, head, member)                          \
> >         for (pos = list_entry((head)->next, typeof(*pos), member);      \
> >              prefetch(pos->member.next), &pos->member != (head);        \
> >              pos = list_entry(pos->member.next, typeof(*pos), member))
> >                               ^^^^^^^^^^^^^^^^
> > 
> > <--  snip  -->
> > 
> > 
> > Without the "break", "handler" is being dereferenced after it was freed.
> Yes, found it minute before :( 
> Acked, thanks.
> > 
> > 
> >> Regards,
> >> Alex.
> >> Adrian Bunk wrote:
> >>> This patch fixes a use-after-free introduced by
> >>> commit 30c08574da0ead1a47797ce028218ce5b2de61c7.
> >>>
> >>> Spotted by the Coverity checker.
> >>>
> >>> Signed-off-by: Adrian Bunk <bunk@kernel.org>
> >>>
> >>> ---
> >>> --- linux-2.6/drivers/acpi/ec.c.old	2007-10-23 19:39:47.000000000 +0200
> >>> +++ linux-2.6/drivers/acpi/ec.c	2007-10-23 19:34:55.000000000 +0200
> >>> @@ -434,11 +442,11 @@
> >>>  EXPORT_SYMBOL_GPL(acpi_ec_add_query_handler);
> >>>  
> >>>  void acpi_ec_remove_query_handler(struct acpi_ec *ec, u8 query_bit)
> >>>  {
> >>> -	struct acpi_ec_query_handler *handler;
> >>> +	struct acpi_ec_query_handler *handler, *tmp;
> >>>  	mutex_lock(&ec->lock);
> >>> -	list_for_each_entry(handler, &ec->list, node) {
> >>> +	list_for_each_entry_safe(handler, tmp, &ec->list, node) {
> >>>  		if (query_bit == handler->query_bit) {
> >>>  			list_del(&handler->node);
> >>>  			kfree(handler);
> >>>  		}
> >>>
> > 
> > 
> > cu
> > Adrian
> > 
> 
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
>