GIT: unionfs2-2.6.27.y: SCSI: aacraid: Eliminate use after free
Erez Zadok
ezk at fsl.cs.sunysb.edu
Thu Aug 12 23:15:36 EDT 2010
commit 4cccc4c16363508973bf6197cabd66291d2a3423
Author: Julia Lawall <julia at diku.dk>
Date: Sat May 15 11:46:12 2010 +0200
SCSI: aacraid: Eliminate use after free
commit 8a52da632ceb9d8b776494563df579e87b7b586b upstream.
The debugging code using the freed structure is moved before the kfree.
A simplified version of the semantic match that finds this problem is as
follows: (http://coccinelle.lip6.fr/)
// <smpl>
@free@
expression E;
position p;
@@
kfree at p(E)
@@
expression free.E, subE<=free.E, E1;
position free.p;
@@
kfree at p(E)
...
(
subE = E1
|
* E
)
// </smpl>
Signed-off-by: Julia Lawall <julia at diku.dk>
Signed-off-by: James Bottomley <James.Bottomley at suse.de>
diff --git a/drivers/scsi/aacraid/commctrl.c b/drivers/scsi/aacraid/commctrl.c
index a735526..a7b7da1 100644
--- a/drivers/scsi/aacraid/commctrl.c
+++ b/drivers/scsi/aacraid/commctrl.c
@@ -645,9 +645,9 @@ static int aac_send_raw_srb(struct aac_dev* dev, void __user * arg)
/* Does this really need to be GFP_DMA? */
p = kmalloc(usg->sg[i].count,GFP_KERNEL|__GFP_DMA);
if(!p) {
- kfree (usg);
- dprintk((KERN_DEBUG"aacraid: Could not allocate SG buffer - size = %d buffer number %d of %d\n",
+ dprintk((KERN_DEBUG "aacraid: Could not allocate SG buffer - size = %d buffer number %d of %d\n",
usg->sg[i].count,i,usg->count));
+ kfree(usg);
rcode = -ENOMEM;
goto cleanup;
}
More information about the unionfs-cvs
mailing list