From patchwork Sun Oct 21 10:52:05 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Julia Lawall X-Patchwork-Id: 192989 X-Patchwork-Delegate: benh@kernel.crashing.org Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from ozlabs.org (localhost [IPv6:::1]) by ozlabs.org (Postfix) with ESMTP id BF9442C03D0 for ; Sun, 21 Oct 2012 22:03:47 +1100 (EST) X-Greylist: delayed 661 seconds by postgrey-1.34 at bilbo; Sun, 21 Oct 2012 22:03:19 EST Received: from mail4-relais-sop.national.inria.fr (mail4-relais-sop.national.inria.fr [192.134.164.105]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.inria.fr", Issuer "TERENA SSL CA" (not verified)) by ozlabs.org (Postfix) with ESMTPS id 220262C0096 for ; Sun, 21 Oct 2012 22:03:18 +1100 (EST) X-IronPort-AV: E=Sophos;i="4.80,625,1344204000"; d="scan'208";a="159799681" Received: from palace.lip6.fr (HELO localhost.localdomain) ([132.227.105.202]) by mail4-relais-sop.national.inria.fr with ESMTP/TLS/DHE-RSA-AES256-SHA; 21 Oct 2012 12:52:10 +0200 From: Julia Lawall To: Benjamin Herrenschmidt Subject: [PATCH 3/5] arch/powerpc/kernel/rtas_flash.c: eliminate possible double free Date: Sun, 21 Oct 2012 12:52:05 +0200 Message-Id: <1350816727-1381-4-git-send-email-Julia.Lawall@lip6.fr> X-Mailer: git-send-email 1.7.8.6 In-Reply-To: <1350816727-1381-1-git-send-email-Julia.Lawall@lip6.fr> References: <1350816727-1381-1-git-send-email-Julia.Lawall@lip6.fr> Cc: Paul Mackerras , kernel-janitors@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-kernel@vger.kernel.org X-BeenThere: linuxppc-dev@lists.ozlabs.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Linux on PowerPC Developers Mail List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: linuxppc-dev-bounces+patchwork-incoming=ozlabs.org@lists.ozlabs.org Sender: "Linuxppc-dev" From: Julia Lawall The function initialize_flash_pde_data is only called four times. All four calls are in the function rtas_flash_init, and on the failure of any of the calls, remove_flash_pde is called on the third argument of each of the calls. There is thus no need for initialize_flash_pde_data to call remove_flash_pde on the same argument. remove_flash_pde kfrees the data field of its argument, and does not clear that field, so this amounts ot a possible double free. A simplified version of the semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // @r@ identifier f,free,a; parameter list[n] ps; type T; expression e; @@ f(ps,T a,...) { ... when any when != a = e if(...) { ... free(a); ... return ...; } ... when any } @@ identifier r.f,r.free; expression x,a; expression list[r.n] xs; @@ * x = f(xs,a,...); if (...) { ... free(a); ... return ...; } // Signed-off-by: Julia Lawall --- Not tested. arch/powerpc/kernel/rtas_flash.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/arch/powerpc/kernel/rtas_flash.c b/arch/powerpc/kernel/rtas_flash.c index 20b0120..8329190 100644 --- a/arch/powerpc/kernel/rtas_flash.c +++ b/arch/powerpc/kernel/rtas_flash.c @@ -650,10 +650,8 @@ static int initialize_flash_pde_data(const char *rtas_call_name, int token; dp->data = kzalloc(buf_size, GFP_KERNEL); - if (dp->data == NULL) { - remove_flash_pde(dp); + if (dp->data == NULL) return -ENOMEM; - } /* * This code assumes that the status int is the first member of the