From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S965518AbcJFJiS (ORCPT ); Thu, 6 Oct 2016 05:38:18 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:47544 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S942230AbcJFIpt (ORCPT ); Thu, 6 Oct 2016 04:45:49 -0400 From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Sudeep Holla , Lee Jones , Jassi Brar Subject: [PATCH 4.7 086/141] mailbox: mailbox-test: set tdev->signal to NULL after freeing Date: Thu, 6 Oct 2016 10:28:42 +0200 Message-Id: <20161006074452.436577009@linuxfoundation.org> X-Mailer: git-send-email 2.10.0 In-Reply-To: <20161006074448.608056610@linuxfoundation.org> References: <20161006074448.608056610@linuxfoundation.org> User-Agent: quilt/0.64 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.7-stable review patch. If anyone has any objections, please let me know. ------------------ From: Sudeep Holla commit 9ef3c5112139cc5c5666ee096e05bc1e00e94015 upstream. tdev->signal is not set NULL after it's freed. This will cause random exceptions when the stale pointer is accessed after tdev->signal is freed. Also, since tdev->signal allocation is skipped the next time it's written, this leads to continuous fault finally leading to the total death of the system. Fixes: d1c2f87c9a8f ("mailbox: mailbox-test: Prevent memory leak") Signed-off-by: Sudeep Holla Acked-by: Lee Jones Signed-off-by: Jassi Brar Signed-off-by: Greg Kroah-Hartman --- drivers/mailbox/mailbox-test.c | 1 + 1 file changed, 1 insertion(+) --- a/drivers/mailbox/mailbox-test.c +++ b/drivers/mailbox/mailbox-test.c @@ -133,6 +133,7 @@ static ssize_t mbox_test_message_write(s out: kfree(tdev->signal); kfree(tdev->message); + tdev->signal = NULL; return ret < 0 ? ret : count; }