linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] ISP1704 USB Charger: Fix use-after-free error in isp1704_charger_probe()
@ 2012-04-22 20:13 Jesper Juhl
  2012-04-22 20:34 ` Marek Vasut
  0 siblings, 1 reply; 4+ messages in thread
From: Jesper Juhl @ 2012-04-22 20:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Felipe Contreras, Marek Vasut, Felipe Balbi, Anton Vorontsov,
	Heikki Krogerus, Kalle Jokiniemi

In isp1704_charger_probe() at the 'fail0:' label we kfree(isp) and
then subsequently call isp1704_charger_set_power(isp, 0). That's a
problem since isp1704_charger_set_power() dereferences the pointer it
is passed as its first argument, which is 'isp', which we already
freed.

Fixed by simply swapping the order of the two calls so that we only
kfree() *after* the call to isp1704_charger_set_power().

Signed-off-by: Jesper Juhl <jj@chaosbits.net>
---
 drivers/power/isp1704_charger.c |    4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/drivers/power/isp1704_charger.c b/drivers/power/isp1704_charger.c
index 39eb50f..8a610da 100644
--- a/drivers/power/isp1704_charger.c
+++ b/drivers/power/isp1704_charger.c
@@ -476,11 +476,9 @@ fail2:
 fail1:
 	usb_put_transceiver(isp->phy);
 fail0:
-	kfree(isp);
-
 	dev_err(&pdev->dev, "failed to register isp1704 with error %d\n", ret);
-
 	isp1704_charger_set_power(isp, 0);
+	kfree(isp);
 	return ret;
 }
 
-- 
1.7.10


-- 
Jesper Juhl <jj@chaosbits.net>       http://www.chaosbits.net/
Don't top-post http://www.catb.org/jargon/html/T/top-post.html
Plain text mails only, please.


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [PATCH] ISP1704 USB Charger: Fix use-after-free error in isp1704_charger_probe()
  2012-04-22 20:13 [PATCH] ISP1704 USB Charger: Fix use-after-free error in isp1704_charger_probe() Jesper Juhl
@ 2012-04-22 20:34 ` Marek Vasut
  2012-05-06  3:12   ` Anton Vorontsov
  0 siblings, 1 reply; 4+ messages in thread
From: Marek Vasut @ 2012-04-22 20:34 UTC (permalink / raw)
  To: Jesper Juhl
  Cc: linux-kernel, Felipe Contreras, Felipe Balbi, Anton Vorontsov,
	Heikki Krogerus, Kalle Jokiniemi

Dear Jesper Juhl,

> In isp1704_charger_probe() at the 'fail0:' label we kfree(isp) and
> then subsequently call isp1704_charger_set_power(isp, 0). That's a
> problem since isp1704_charger_set_power() dereferences the pointer it
> is passed as its first argument, which is 'isp', which we already
> freed.
> 
> Fixed by simply swapping the order of the two calls so that we only
> kfree() *after* the call to isp1704_charger_set_power().
> 
> Signed-off-by: Jesper Juhl <jj@chaosbits.net>
> ---
>  drivers/power/isp1704_charger.c |    4 +---
>  1 file changed, 1 insertion(+), 3 deletions(-)
> 
> diff --git a/drivers/power/isp1704_charger.c
> b/drivers/power/isp1704_charger.c index 39eb50f..8a610da 100644
> --- a/drivers/power/isp1704_charger.c
> +++ b/drivers/power/isp1704_charger.c
> @@ -476,11 +476,9 @@ fail2:
>  fail1:
>  	usb_put_transceiver(isp->phy);
>  fail0:
> -	kfree(isp);
> -
>  	dev_err(&pdev->dev, "failed to register isp1704 with error %d\n", ret);
> -
>  	isp1704_charger_set_power(isp, 0);
> +	kfree(isp);

Use devm_kzalloc() and be done with all this goo?

>  	return ret;
>  }

Best regards,
Marek Vasut

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [PATCH] ISP1704 USB Charger: Fix use-after-free error in isp1704_charger_probe()
  2012-04-22 20:34 ` Marek Vasut
@ 2012-05-06  3:12   ` Anton Vorontsov
  2012-05-06 13:18     ` Jesper Juhl
  0 siblings, 1 reply; 4+ messages in thread
From: Anton Vorontsov @ 2012-05-06  3:12 UTC (permalink / raw)
  To: Marek Vasut
  Cc: Jesper Juhl, linux-kernel, Felipe Contreras, Felipe Balbi,
	Heikki Krogerus, Kalle Jokiniemi

On Sun, Apr 22, 2012 at 10:34:59PM +0200, Marek Vasut wrote:
[...]
> > -
> >  	dev_err(&pdev->dev, "failed to register isp1704 with error %d\n", ret);
> > -
> >  	isp1704_charger_set_power(isp, 0);
> > +	kfree(isp);

Dan Carpenter sent a similar fix ~month ago, so it's in already.

> Use devm_kzalloc() and be done with all this goo?

Yeah, that's actually a good idea.

Thanks,

-- 
Anton Vorontsov
Email: cbouatmailru@gmail.com

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [PATCH] ISP1704 USB Charger: Fix use-after-free error in isp1704_charger_probe()
  2012-05-06  3:12   ` Anton Vorontsov
@ 2012-05-06 13:18     ` Jesper Juhl
  0 siblings, 0 replies; 4+ messages in thread
From: Jesper Juhl @ 2012-05-06 13:18 UTC (permalink / raw)
  To: Anton Vorontsov
  Cc: Marek Vasut, linux-kernel, Felipe Contreras, Felipe Balbi,
	Heikki Krogerus, Kalle Jokiniemi


Sorry about the late reply, I've been away from my mailbox for a while.

On Sat, 5 May 2012, Anton Vorontsov wrote:

> On Sun, Apr 22, 2012 at 10:34:59PM +0200, Marek Vasut wrote:
> [...]
> > > -
> > >  	dev_err(&pdev->dev, "failed to register isp1704 with error %d\n", ret);
> > > -
> > >  	isp1704_charger_set_power(isp, 0);
> > > +	kfree(isp);
> 
> Dan Carpenter sent a similar fix ~month ago, so it's in already.
> 
Ok :)

> > Use devm_kzalloc() and be done with all this goo?
> 
> Yeah, that's actually a good idea.
> 
No promises, but I may look into this in a few days.

-- 
Jesper Juhl <jj@chaosbits.net>       http://www.chaosbits.net/
Don't top-post http://www.catb.org/jargon/html/T/top-post.html
Plain text mails only, please.


^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2012-05-06 13:18 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-04-22 20:13 [PATCH] ISP1704 USB Charger: Fix use-after-free error in isp1704_charger_probe() Jesper Juhl
2012-04-22 20:34 ` Marek Vasut
2012-05-06  3:12   ` Anton Vorontsov
2012-05-06 13:18     ` Jesper Juhl

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).