From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Richard Purdie <rpurdie@rpsys.net>,
Antonino Daplas <adaplas@pol.net>,
Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>,
Christophe JAILLET <christophe.jaillet@wanadoo.fr>,
Sam Ravnborg <sam@ravnborg.org>
Subject: [PATCH 4.4 034/101] video: fbdev: w100fb: Fix a potential double free.
Date: Fri, 19 Jun 2020 16:32:23 +0200 [thread overview]
Message-ID: <20200619141615.881811666@linuxfoundation.org> (raw)
In-Reply-To: <20200619141614.001544111@linuxfoundation.org>
From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
commit 18722d48a6bb9c2e8d046214c0a5fd19d0a7c9f6 upstream.
Some memory is vmalloc'ed in the 'w100fb_save_vidmem' function and freed in
the 'w100fb_restore_vidmem' function. (these functions are called
respectively from the 'suspend' and the 'resume' functions)
However, it is also freed in the 'remove' function.
In order to avoid a potential double free, set the corresponding pointer
to NULL once freed in the 'w100fb_restore_vidmem' function.
Fixes: aac51f09d96a ("[PATCH] w100fb: Rewrite for platform independence")
Cc: Richard Purdie <rpurdie@rpsys.net>
Cc: Antonino Daplas <adaplas@pol.net>
Cc: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Cc: <stable@vger.kernel.org> # v2.6.14+
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
Link: https://patchwork.freedesktop.org/patch/msgid/20200506181902.193290-1-christophe.jaillet@wanadoo.fr
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/video/fbdev/w100fb.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/video/fbdev/w100fb.c
+++ b/drivers/video/fbdev/w100fb.c
@@ -583,6 +583,7 @@ static void w100fb_restore_vidmem(struct
memsize=par->mach->mem->size;
memcpy_toio(remapped_fbuf + (W100_FB_BASE-MEM_WINDOW_BASE), par->saved_extmem, memsize);
vfree(par->saved_extmem);
+ par->saved_extmem = NULL;
}
if (par->saved_intmem) {
memsize=MEM_INT_SIZE;
@@ -591,6 +592,7 @@ static void w100fb_restore_vidmem(struct
else
memcpy_toio(remapped_fbuf + (W100_FB_BASE-MEM_WINDOW_BASE), par->saved_intmem, memsize);
vfree(par->saved_intmem);
+ par->saved_intmem = NULL;
}
}
next prev parent reply other threads:[~2020-06-19 16:52 UTC|newest]
Thread overview: 109+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-19 14:31 [PATCH 4.4 000/101] 4.4.228-rc1 review Greg Kroah-Hartman
2020-06-19 14:31 ` [PATCH 4.4 001/101] ipv6: fix IPV6_ADDRFORM operation logic Greg Kroah-Hartman
2020-06-19 14:31 ` [PATCH 4.4 002/101] vxlan: Avoid infinite loop when suppressing NS messages with invalid options Greg Kroah-Hartman
2020-06-19 14:31 ` [PATCH 4.4 003/101] scsi: return correct blkprep status code in case scsi_init_io() fails Greg Kroah-Hartman
2020-06-19 14:31 ` [PATCH 4.4 004/101] net: phy: marvell: Limit 88m1101 autoneg errata to 88E1145 as well Greg Kroah-Hartman
2020-06-19 14:31 ` [PATCH 4.4 005/101] pwm: fsl-ftm: Use flat regmap cache Greg Kroah-Hartman
2020-06-19 14:31 ` [PATCH 4.4 006/101] igb: improve handling of disconnected adapters Greg Kroah-Hartman
2020-06-19 14:31 ` [PATCH 4.4 007/101] ARM: 8977/1: ptrace: Fix mask for thumb breakpoint hook Greg Kroah-Hartman
2020-06-19 14:31 ` [PATCH 4.4 008/101] sched/fair: Dont NUMA balance for kthreads Greg Kroah-Hartman
2020-06-19 14:31 ` [PATCH 4.4 009/101] ath9k_htc: Silence undersized packet warnings Greg Kroah-Hartman
2020-06-19 14:31 ` [PATCH 4.4 010/101] x86_64: Fix jiffies ODR violation Greg Kroah-Hartman
2020-06-19 14:32 ` [PATCH 4.4 011/101] x86/speculation: Prevent rogue cross-process SSBD shutdown Greg Kroah-Hartman
2020-06-19 14:32 ` [PATCH 4.4 012/101] x86/reboot/quirks: Add MacBook6,1 reboot quirk Greg Kroah-Hartman
2020-06-19 14:32 ` [PATCH 4.4 013/101] efi/efivars: Add missing kobject_put() in sysfs entry creation error path Greg Kroah-Hartman
2020-06-19 14:32 ` [PATCH 4.4 014/101] ALSA: es1688: Add the missed snd_card_free() Greg Kroah-Hartman
2020-06-19 14:32 ` [PATCH 4.4 015/101] ALSA: usb-audio: Fix inconsistent card PM state after resume Greg Kroah-Hartman
2020-06-19 14:32 ` [PATCH 4.4 016/101] ACPI: sysfs: Fix reference count leak in acpi_sysfs_add_hotplug_profile() Greg Kroah-Hartman
2020-06-19 14:32 ` [PATCH 4.4 017/101] ACPI: PM: Avoid using power resources if there are none for D0 Greg Kroah-Hartman
2020-06-19 14:32 ` [PATCH 4.4 018/101] cgroup, blkcg: Prepare some symbols for module and !CONFIG_CGROUP usages Greg Kroah-Hartman
2020-06-19 14:32 ` [PATCH 4.4 019/101] nilfs2: fix null pointer dereference at nilfs_segctor_do_construct() Greg Kroah-Hartman
2020-06-19 14:32 ` [PATCH 4.4 020/101] spi: bcm2835aux: Fix controller unregister order Greg Kroah-Hartman
2020-06-19 14:32 ` [PATCH 4.4 021/101] ALSA: pcm: disallow linking stream to itself Greg Kroah-Hartman
2020-06-19 14:32 ` [PATCH 4.4 022/101] x86/speculation: Change misspelled STIPB to STIBP Greg Kroah-Hartman
2020-06-19 14:32 ` [PATCH 4.4 023/101] x86/speculation: Add support for STIBP always-on preferred mode Greg Kroah-Hartman
2020-06-19 14:32 ` [PATCH 4.4 024/101] x86/speculation: Avoid force-disabling IBPB based on STIBP and enhanced IBRS Greg Kroah-Hartman
2020-06-19 14:32 ` [PATCH 4.4 025/101] x86/speculation: PR_SPEC_FORCE_DISABLE enforcement for indirect branches Greg Kroah-Hartman
2020-06-19 14:32 ` [PATCH 4.4 026/101] spi: dw: fix possible race condition Greg Kroah-Hartman
2020-06-19 14:32 ` [PATCH 4.4 027/101] spi: dw: Fix controller unregister order Greg Kroah-Hartman
2020-06-19 14:32 ` [PATCH 4.4 028/101] spi: No need to assign dummy value in spi_unregister_controller() Greg Kroah-Hartman
2020-06-19 14:32 ` [PATCH 4.4 029/101] spi: Fix controller unregister order Greg Kroah-Hartman
2020-06-19 14:32 ` [PATCH 4.4 030/101] spi: pxa2xx: " Greg Kroah-Hartman
2020-06-19 14:32 ` [PATCH 4.4 031/101] spi: bcm2835: " Greg Kroah-Hartman
2020-06-19 14:32 ` [PATCH 4.4 032/101] ovl: initialize error in ovl_copy_xattr Greg Kroah-Hartman
2020-06-19 14:32 ` [PATCH 4.4 033/101] proc: Use new_inode not new_inode_pseudo Greg Kroah-Hartman
2020-06-19 14:32 ` Greg Kroah-Hartman [this message]
2020-06-19 14:32 ` [PATCH 4.4 035/101] KVM: nSVM: leave ASID aside in copy_vmcb_control_area Greg Kroah-Hartman
2020-06-19 14:32 ` [PATCH 4.4 036/101] KVM: nVMX: Consult only the "basic" exit reason when routing nested exit Greg Kroah-Hartman
2020-06-19 14:32 ` [PATCH 4.4 037/101] KVM: arm64: Make vcpu_cp1x() work on Big Endian hosts Greg Kroah-Hartman
2020-06-19 14:32 ` [PATCH 4.4 038/101] ath9k: Fix use-after-free Read in ath9k_wmi_ctrl_rx Greg Kroah-Hartman
2020-06-19 14:32 ` [PATCH 4.4 039/101] ath9k: Fix use-after-free Write in ath9k_htc_rx_msg Greg Kroah-Hartman
2020-06-19 14:32 ` [PATCH 4.4 040/101] ath9x: Fix stack-out-of-bounds Write in ath9k_hif_usb_rx_cb Greg Kroah-Hartman
2020-06-19 14:32 ` [PATCH 4.4 041/101] ath9k: Fix general protection fault " Greg Kroah-Hartman
2020-06-19 14:32 ` [PATCH 4.4 042/101] Smack: slab-out-of-bounds in vsscanf Greg Kroah-Hartman
2020-06-19 14:32 ` [PATCH 4.4 043/101] mm/slub: fix a memory leak in sysfs_slab_add() Greg Kroah-Hartman
2020-06-19 14:32 ` [PATCH 4.4 044/101] fat: dont allow to mount if the FAT length == 0 Greg Kroah-Hartman
2020-06-19 14:32 ` [PATCH 4.4 045/101] can: kvaser_usb: kvaser_usb_leaf: Fix some info-leaks to USB devices Greg Kroah-Hartman
2020-06-19 14:32 ` [PATCH 4.4 046/101] spi: dw: Zero DMA Tx and Rx configurations on stack Greg Kroah-Hartman
2020-06-19 14:32 ` [PATCH 4.4 047/101] Bluetooth: Add SCO fallback for invalid LMP parameters error Greg Kroah-Hartman
2020-06-19 14:32 ` [PATCH 4.4 048/101] kgdb: Prevent infinite recursive entries to the debugger Greg Kroah-Hartman
2020-06-19 14:32 ` [PATCH 4.4 049/101] spi: dw: Enable interrupts in accordance with DMA xfer mode Greg Kroah-Hartman
2020-06-19 14:32 ` [PATCH 4.4 050/101] clocksource: dw_apb_timer_of: Fix missing clockevent timers Greg Kroah-Hartman
2020-06-19 14:32 ` [PATCH 4.4 051/101] btrfs: do not ignore error from btrfs_next_leaf() when inserting checksums Greg Kroah-Hartman
2020-06-19 14:32 ` [PATCH 4.4 052/101] ARM: 8978/1: mm: make act_mm() respect THREAD_SIZE Greg Kroah-Hartman
2020-06-19 14:32 ` [PATCH 4.4 053/101] net: vmxnet3: fix possible buffer overflow caused by bad DMA value in vmxnet3_get_rss() Greg Kroah-Hartman
2020-06-19 14:32 ` [PATCH 4.4 054/101] staging: android: ion: use vmap instead of vm_map_ram Greg Kroah-Hartman
2020-06-19 14:32 ` [PATCH 4.4 055/101] e1000: Distribute switch variables for initialization Greg Kroah-Hartman
2020-06-19 14:32 ` [PATCH 4.4 056/101] media: dvb: return -EREMOTEIO on i2c transfer failure Greg Kroah-Hartman
2020-06-19 14:32 ` [PATCH 4.4 057/101] MIPS: Make sparse_init() using top-down allocation Greg Kroah-Hartman
2020-06-19 14:32 ` [PATCH 4.4 058/101] netfilter: nft_nat: return EOPNOTSUPP if type or flags are not supported Greg Kroah-Hartman
2020-06-19 14:32 ` [PATCH 4.4 059/101] lib/mpi: Fix 64-bit MIPS build with Clang Greg Kroah-Hartman
2020-06-19 14:32 ` [PATCH 4.4 060/101] net: lpc-enet: fix error return code in lpc_mii_init() Greg Kroah-Hartman
2020-06-19 14:32 ` [PATCH 4.4 061/101] net: allwinner: Fix use correct return type for ndo_start_xmit() Greg Kroah-Hartman
2020-06-19 14:32 ` [PATCH 4.4 062/101] powerpc/spufs: fix copy_to_user while atomic Greg Kroah-Hartman
2020-06-19 14:32 ` [PATCH 4.4 063/101] mips: cm: Fix an invalid error code of INTVN_*_ERR Greg Kroah-Hartman
2020-06-19 14:32 ` [PATCH 4.4 064/101] kgdb: Fix spurious true from in_dbg_master() Greg Kroah-Hartman
2020-06-19 14:32 ` [PATCH 4.4 065/101] md: dont flush workqueue unconditionally in md_open Greg Kroah-Hartman
2020-06-19 14:32 ` [PATCH 4.4 066/101] mwifiex: Fix memory corruption in dump_station Greg Kroah-Hartman
2020-06-19 14:32 ` [PATCH 4.4 067/101] mips: Add udelay lpj numbers adjustment Greg Kroah-Hartman
2020-06-19 14:32 ` [PATCH 4.4 068/101] x86/mm: Stop printing BRK addresses Greg Kroah-Hartman
2020-06-19 14:32 ` [PATCH 4.4 069/101] m68k: mac: Dont call via_flush_cache() on Mac IIfx Greg Kroah-Hartman
2020-06-19 14:32 ` [PATCH 4.4 070/101] macvlan: Skip loopback packets in RX handler Greg Kroah-Hartman
2020-06-19 14:33 ` [PATCH 4.4 071/101] PCI: Dont disable decoding when mmio_always_on is set Greg Kroah-Hartman
2020-06-19 14:33 ` [PATCH 4.4 072/101] MIPS: Fix IRQ tracing when call handle_fpe() and handle_msa_fpe() Greg Kroah-Hartman
2020-06-19 14:33 ` [PATCH 4.4 073/101] ixgbe: fix signed-integer-overflow warning Greg Kroah-Hartman
2020-06-19 14:33 ` [PATCH 4.4 074/101] spi: dw: Return any value retrieved from the dma_transfer callback Greg Kroah-Hartman
2020-06-19 14:33 ` [PATCH 4.4 075/101] cpuidle: Fix three reference count leaks Greg Kroah-Hartman
2020-06-19 14:33 ` [PATCH 4.4 076/101] ima: Fix ima digest hash table key calculation Greg Kroah-Hartman
2020-06-19 14:33 ` [PATCH 4.4 077/101] ext4: fix EXT_MAX_EXTENT/INDEX to check for zeroed eh_max Greg Kroah-Hartman
2020-06-19 14:33 ` [PATCH 4.4 078/101] Btrfs: fix unreplayable log after snapshot delete + parent dir fsync Greg Kroah-Hartman
2020-06-19 14:33 ` [PATCH 4.4 079/101] btrfs: send: emit file capabilities after chown Greg Kroah-Hartman
2020-06-19 14:33 ` [PATCH 4.4 080/101] btrfs: fix error handling when submitting direct I/O bio Greg Kroah-Hartman
2020-06-19 14:33 ` [PATCH 4.4 081/101] ima: Directly assign the ima_default_policy pointer to ima_rules Greg Kroah-Hartman
2020-06-19 14:33 ` [PATCH 4.4 082/101] PCI: Program MPS for RCiEP devices Greg Kroah-Hartman
2020-06-19 14:33 ` [PATCH 4.4 083/101] e1000e: Relax condition to trigger reset for ME workaround Greg Kroah-Hartman
2020-06-19 14:33 ` [PATCH 4.4 084/101] carl9170: remove P2P_GO support Greg Kroah-Hartman
2020-06-19 14:33 ` [PATCH 4.4 085/101] media: go7007: fix a miss of snd_card_free Greg Kroah-Hartman
2020-06-19 14:33 ` [PATCH 4.4 086/101] b43legacy: Fix case where channel status is corrupted Greg Kroah-Hartman
2020-06-19 14:33 ` [PATCH 4.4 087/101] b43: Fix connection problem with WPA3 Greg Kroah-Hartman
2020-06-19 14:33 ` [PATCH 4.4 088/101] b43_legacy: " Greg Kroah-Hartman
2020-06-19 14:33 ` [PATCH 4.4 089/101] igb: Report speed and duplex as unknown when device is runtime suspended Greg Kroah-Hartman
2020-06-19 14:33 ` [PATCH 4.4 090/101] power: vexpress: add suppress_bind_attrs to true Greg Kroah-Hartman
2020-06-19 14:33 ` [PATCH 4.4 091/101] pinctrl: samsung: Save/restore eint_mask over suspend for EINT_TYPE GPIOs Greg Kroah-Hartman
2020-06-19 14:33 ` [PATCH 4.4 092/101] sparc32: fix register window handling in genregs32_[gs]et() Greg Kroah-Hartman
2020-06-19 14:33 ` [PATCH 4.4 093/101] kernel/cpu_pm: Fix uninitted local in cpu_pm Greg Kroah-Hartman
2020-06-19 14:33 ` [PATCH 4.4 094/101] ARM: tegra: Correct PL310 Auxiliary Control Register initialization Greg Kroah-Hartman
2020-06-19 14:33 ` [PATCH 4.4 095/101] drivers/macintosh: Fix memleak in windfarm_pm112 driver Greg Kroah-Hartman
2020-06-19 14:33 ` [PATCH 4.4 096/101] kbuild: force to build vmlinux if CONFIG_MODVERSION=y Greg Kroah-Hartman
2020-06-19 14:33 ` [PATCH 4.4 097/101] sunrpc: svcauth_gss_register_pseudoflavor must reject duplicate registrations Greg Kroah-Hartman
2020-06-19 14:33 ` [PATCH 4.4 098/101] sunrpc: clean up properly in gss_mech_unregister() Greg Kroah-Hartman
2020-06-19 14:33 ` [PATCH 4.4 099/101] w1: omap-hdq: cleanup to add missing newline for some dev_dbg Greg Kroah-Hartman
2020-06-19 14:33 ` [PATCH 4.4 100/101] perf probe: Do not show the skipped events Greg Kroah-Hartman
2020-06-19 14:33 ` [PATCH 4.4 101/101] perf symbols: Fix debuginfo search for Ubuntu Greg Kroah-Hartman
2020-06-19 16:40 ` [PATCH 4.4 000/101] 4.4.228-rc1 review Guenter Roeck
2020-06-20 7:46 ` Greg Kroah-Hartman
2020-06-20 14:04 ` Guenter Roeck
2020-06-20 15:06 ` Greg Kroah-Hartman
2020-06-19 23:45 ` Guenter Roeck
2020-06-20 8:18 ` Naresh Kamboju
2020-06-20 9:49 ` Jon Hunter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200619141615.881811666@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=adaplas@pol.net \
--cc=b.zolnierkie@samsung.com \
--cc=christophe.jaillet@wanadoo.fr \
--cc=linux-kernel@vger.kernel.org \
--cc=rpurdie@rpsys.net \
--cc=sam@ravnborg.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).