From patchwork Mon Sep 28 08:58:43 2009
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: roel kluin <roel.kluin@gmail.com>
X-Patchwork-Id: 34372
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.176.167])
	by ozlabs.org (Postfix) with ESMTP id B79FFB7BCE
	for <patchwork-incoming@ozlabs.org>;
	Mon, 28 Sep 2009 18:51:27 +1000 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752770AbZI1Ium (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Mon, 28 Sep 2009 04:50:42 -0400
Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1752281AbZI1Iul
	(ORCPT <rfc822; netdev-outgoing>); Mon, 28 Sep 2009 04:50:41 -0400
Received: from mail-ew0-f211.google.com ([209.85.219.211]:42476 "EHLO
	mail-ew0-f211.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752537AbZI1Iuj (ORCPT
	<rfc822;netdev@vger.kernel.org>); Mon, 28 Sep 2009 04:50:39 -0400
Received: by ewy7 with SMTP id 7so4217433ewy.17
	for <netdev@vger.kernel.org>; Mon, 28 Sep 2009 01:50:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:received:received:message-id:date:from
	:user-agent:mime-version:to:cc:subject:references:in-reply-to
	:content-type:content-transfer-encoding;
	bh=TlIu5qv8oL1sez9wIL15knLwIEJDfi7wfr/rfq9KJIc=;
	b=xIbWk72TzUUZ1tJJKjTmnUWM304EWnC85plkGk1Y5j8XS0wEybJ6Lr/bcFKeuKcqPu
	bVYYElmGXLWe38d6sfpvbrtirnL1n9bp5N3gnZfoRgPCuponNqs3yHuLvUKZqTfVkKqo
	EbNXQKOntB8wCTo19Z4QcdmJHnGLR486Ee3QE=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=message-id:date:from:user-agent:mime-version:to:cc:subject
	:references:in-reply-to:content-type:content-transfer-encoding;
	b=LZOODIQYENOyOwfbUkiwtrGNOGTgK1hG+AQZVGmmt0Ep6QYZ81urn+FxPZmJOnkpul
	IHmCagS7LeExIEYI41TXIJpU+0pM7B9Q/yZOFXFatIdd/smU5b79tSb/R2Iu2jzr2DZC
	7bEPfO7U/6LcNYgX/BxpfwS3/oSMwVpJJ92bI=
Received: by 10.210.7.21 with SMTP id 21mr2806436ebg.66.1254127842912;
	Mon, 28 Sep 2009 01:50:42 -0700 (PDT)
Received: from zoinx.mars (d133062.upc-d.chello.nl [213.46.133.62])
	by mx.google.com with ESMTPS id 7sm1933914eyb.28.2009.09.28.01.50.41
	(version=SSLv3 cipher=RC4-MD5);
	Mon, 28 Sep 2009 01:50:41 -0700 (PDT)
Message-ID: <4AC07AC3.1090707@gmail.com>
Date: Mon, 28 Sep 2009 10:58:43 +0200
From: Roel Kluin <roel.kluin@gmail.com>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US;
	rv:1.9.1.1) Gecko/20090814 Fedora/3.0-2.6.b3.fc11
	Thunderbird/3.0b3
MIME-Version: 1.0
To: David Miller <davem@davemloft.net>
CC: joe@perches.com, chas@cmf.nrl.navy.mil,
	linux-atm-general@lists.sourceforge.net, netdev@vger.kernel.org,
	akpm@linux-foundation.org
Subject: Re: [PATCH] atm: dereference of he_dev->rbps_virt in he_init_group()
References: <4AB66240.6060703@gmail.com>
	<20090922.142532.24854998.davem@davemloft.net>	<4ABE152F.20507@gmail.com>
	<20090926.202636.105018102.davem@davemloft.net>
In-Reply-To: <20090926.202636.105018102.davem@davemloft.net>
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

From: Juha Leppanen <juha_motorsportcom@luukku.com>
Date: Sat, Sep 26, 2009 at 12:34 AM
Subject: atm: he: memleak/negative indexing of arrays in he_init_group()

The prefix decrement causes a very long loop if pci_pool_alloc() failed
in the first iteration. Also I swapped rbps and rbpl arguments.

Reported-by: Juha Leppanen <juha_motorsportcom@luukku.com>
Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
---
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/drivers/atm/he.c b/drivers/atm/he.c
index 29e66d6..7066703 100644
--- a/drivers/atm/he.c
+++ b/drivers/atm/he.c
@@ -921,9 +921,9 @@ out_free_rbpq_base:
 			he_dev->rbrq_phys);
 	i = CONFIG_RBPL_SIZE;
 out_free_rbpl_virt:
-	while (--i)
-		pci_pool_free(he_dev->rbps_pool, he_dev->rbpl_virt[i].virt,
-				he_dev->rbps_base[i].phys);
+	while (i--)
+		pci_pool_free(he_dev->rbpl_pool, he_dev->rbpl_virt[i].virt,
+				he_dev->rbpl_base[i].phys);
 	kfree(he_dev->rbpl_virt);
 
 out_free_rbpl_base:
@@ -933,11 +933,11 @@ out_free_rbpl_base:
 out_destroy_rbpl_pool:
 	pci_pool_destroy(he_dev->rbpl_pool);
 
-	i = CONFIG_RBPL_SIZE;
+	i = CONFIG_RBPS_SIZE;
 out_free_rbps_virt:
-	while (--i)
-		pci_pool_free(he_dev->rbpl_pool, he_dev->rbps_virt[i].virt,
-				he_dev->rbpl_base[i].phys);
+	while (i--)
+		pci_pool_free(he_dev->rbps_pool, he_dev->rbps_virt[i].virt,
+				he_dev->rbps_base[i].phys);
 	kfree(he_dev->rbps_virt);
 
 out_free_rbps_base: