[patch] cpmac: use after free

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [patch] cpmac: use after free
@ 2010-03-03  8:46 Dan Carpenter
  2010-03-03  8:59 ` Jiri Pirko
  0 siblings, 1 reply; 3+ messages in thread
From: Dan Carpenter @ 2010-03-03  8:46 UTC (permalink / raw)
  To: netdev
  Cc: Florian Fainelli, David S. Miller, Ralf Baechle, Jiri Pirko,
	Stefan Weil, kernel-janitors

The original code dereferenced "cpmac_mii" after calling 
"mdiobus_free(cpmac_mii);"

Signed-off-by: Dan Carpenter <error27@gmail.com>
---
Found by a static checker and not tested.  Sorry.  :/

diff --git a/drivers/net/cpmac.c b/drivers/net/cpmac.c
index b85c81f..9d48942 100644
--- a/drivers/net/cpmac.c
+++ b/drivers/net/cpmac.c
@@ -1290,8 +1290,8 @@ void __devexit cpmac_exit(void)
 {
 	platform_driver_unregister(&cpmac_driver);
 	mdiobus_unregister(cpmac_mii);
-	mdiobus_free(cpmac_mii);
 	iounmap(cpmac_mii->priv);
+	mdiobus_free(cpmac_mii);
 }
 
 module_init(cpmac_init);

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [patch] cpmac: use after free
  2010-03-03  8:46 [patch] cpmac: use after free Dan Carpenter
@ 2010-03-03  8:59 ` Jiri Pirko
  2010-03-03  9:07   ` David Miller
  0 siblings, 1 reply; 3+ messages in thread
From: Jiri Pirko @ 2010-03-03  8:59 UTC (permalink / raw)
  To: Dan Carpenter
  Cc: netdev, Florian Fainelli, David S. Miller, Ralf Baechle,
	Stefan Weil, kernel-janitors

Wed, Mar 03, 2010 at 09:46:10AM CET, error27@gmail.com wrote:
>The original code dereferenced "cpmac_mii" after calling 
>"mdiobus_free(cpmac_mii);"
>
>Signed-off-by: Dan Carpenter <error27@gmail.com>
>---
>Found by a static checker and not tested.  Sorry.  :/
>
>diff --git a/drivers/net/cpmac.c b/drivers/net/cpmac.c
>index b85c81f..9d48942 100644
>--- a/drivers/net/cpmac.c
>+++ b/drivers/net/cpmac.c
>@@ -1290,8 +1290,8 @@ void __devexit cpmac_exit(void)
> {
> 	platform_driver_unregister(&cpmac_driver);
> 	mdiobus_unregister(cpmac_mii);
>-	mdiobus_free(cpmac_mii);
> 	iounmap(cpmac_mii->priv);
>+	mdiobus_free(cpmac_mii);
> }
> 
> module_init(cpmac_init);

Looks good. Thanks.

Reviewed-by: Jiri Pirko <jpirko@redhat.com>


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [patch] cpmac: use after free
  2010-03-03  8:59 ` Jiri Pirko
@ 2010-03-03  9:07   ` David Miller
  0 siblings, 0 replies; 3+ messages in thread
From: David Miller @ 2010-03-03  9:07 UTC (permalink / raw)
  To: jpirko; +Cc: error27, netdev, florian, ralf, weil, kernel-janitors

From: Jiri Pirko <jpirko@redhat.com>
Date: Wed, 3 Mar 2010 09:59:58 +0100

> Wed, Mar 03, 2010 at 09:46:10AM CET, error27@gmail.com wrote:
>>The original code dereferenced "cpmac_mii" after calling 
>>"mdiobus_free(cpmac_mii);"
>>
>>Signed-off-by: Dan Carpenter <error27@gmail.com>
>>---
>>Found by a static checker and not tested.  Sorry.  :/
>>
>>diff --git a/drivers/net/cpmac.c b/drivers/net/cpmac.c
>>index b85c81f..9d48942 100644
>>--- a/drivers/net/cpmac.c
>>+++ b/drivers/net/cpmac.c
>>@@ -1290,8 +1290,8 @@ void __devexit cpmac_exit(void)
>> {
>> 	platform_driver_unregister(&cpmac_driver);
>> 	mdiobus_unregister(cpmac_mii);
>>-	mdiobus_free(cpmac_mii);
>> 	iounmap(cpmac_mii->priv);
>>+	mdiobus_free(cpmac_mii);
>> }
>> 
>> module_init(cpmac_init);
> 
> Looks good. Thanks.
> 
> Reviewed-by: Jiri Pirko <jpirko@redhat.com>

Applied.

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2010-03-03  9:07 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-03-03  8:46 [patch] cpmac: use after free Dan Carpenter
2010-03-03  8:59 ` Jiri Pirko
2010-03-03  9:07   ` David Miller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).