linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [patch] rapidio: use after free in unregister function
@ 2013-07-05  6:02 Dan Carpenter
  2013-07-05  7:06 ` Ryan Mallon
  0 siblings, 1 reply; 7+ messages in thread
From: Dan Carpenter @ 2013-07-05  6:02 UTC (permalink / raw)
  To: Matt Porter; +Cc: Alexandre Bounine, linux-kernel, kernel-janitors

We need to use the _safe version of list_for_each_entry() because we
are freeing the iterator.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

diff --git a/drivers/rapidio/rio.c b/drivers/rapidio/rio.c
index f4f30af..84ac64a 100644
--- a/drivers/rapidio/rio.c
+++ b/drivers/rapidio/rio.c
@@ -1701,7 +1701,7 @@ EXPORT_SYMBOL_GPL(rio_register_scan);
 int rio_unregister_scan(int mport_id, struct rio_scan *scan_ops)
 {
 	struct rio_mport *port;
-	struct rio_scan_node *scan;
+	struct rio_scan_node *scan, *tmp;
 
 	pr_debug("RIO: %s for mport_id=%d\n", __func__, mport_id);
 
@@ -1715,7 +1715,7 @@ int rio_unregister_scan(int mport_id, struct rio_scan *scan_ops)
 		    (mport_id == RIO_MPORT_ANY && port->nscan == scan_ops))
 			port->nscan = NULL;
 
-	list_for_each_entry(scan, &rio_scans, node)
+	list_for_each_entry_safe(scan, tmp, &rio_scans, node)
 		if (scan->mport_id == mport_id) {
 			list_del(&scan->node);
 			kfree(scan);

^ permalink raw reply related	[flat|nested] 7+ messages in thread
* Re: [patch] rapidio: use after free in unregister function
  2013-07-05  6:02 [patch] rapidio: use after free in unregister function Dan Carpenter
@ 2013-07-05  7:06 ` Ryan Mallon
  2013-07-05  7:19   ` Dan Carpenter
  2013-07-05 20:39   ` [patch v2] " Dan Carpenter
  0 siblings, 2 replies; 7+ messages in thread
From: Ryan Mallon @ 2013-07-05  7:06 UTC (permalink / raw)
  To: Dan Carpenter
  Cc: Matt Porter, Alexandre Bounine, linux-kernel, kernel-janitors

On 05/07/13 16:02, Dan Carpenter wrote:
> We need to use the _safe version of list_for_each_entry() because we
> are freeing the iterator.
> 
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> 
> diff --git a/drivers/rapidio/rio.c b/drivers/rapidio/rio.c
> index f4f30af..84ac64a 100644
> --- a/drivers/rapidio/rio.c
> +++ b/drivers/rapidio/rio.c
> @@ -1701,7 +1701,7 @@ EXPORT_SYMBOL_GPL(rio_register_scan);
>  int rio_unregister_scan(int mport_id, struct rio_scan *scan_ops)
>  {
>  	struct rio_mport *port;
> -	struct rio_scan_node *scan;
> +	struct rio_scan_node *scan, *tmp;
>  
>  	pr_debug("RIO: %s for mport_id=%d\n", __func__, mport_id);
>  
> @@ -1715,7 +1715,7 @@ int rio_unregister_scan(int mport_id, struct rio_scan *scan_ops)
>  		    (mport_id == RIO_MPORT_ANY && port->nscan == scan_ops))
>  			port->nscan = NULL;
>  
> -	list_for_each_entry(scan, &rio_scans, node)
> +	list_for_each_entry_safe(scan, tmp, &rio_scans, node)
>  		if (scan->mport_id == mport_id) {
>  			list_del(&scan->node);
>  			kfree(scan);

It looks like an mport_id can only be assigned to one scan entry (see
rio_register_scan), so you can use list_for_each_entry and break; after
the kfree(scan); instead.

~Ryan


^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: [patch] rapidio: use after free in unregister function
  2013-07-05  7:06 ` Ryan Mallon
@ 2013-07-05  7:19   ` Dan Carpenter
  2013-07-05 19:04     ` Bounine, Alexandre
  2013-07-05 20:39   ` [patch v2] " Dan Carpenter
  1 sibling, 1 reply; 7+ messages in thread
From: Dan Carpenter @ 2013-07-05  7:19 UTC (permalink / raw)
  To: Ryan Mallon; +Cc: Matt Porter, Alexandre Bounine, linux-kernel, kernel-janitors

On Fri, Jul 05, 2013 at 05:06:14PM +1000, Ryan Mallon wrote:
> On 05/07/13 16:02, Dan Carpenter wrote:
> It looks like an mport_id can only be assigned to one scan entry (see
> rio_register_scan), so you can use list_for_each_entry and break; after
> the kfree(scan); instead.

Yeah.  You're right.  I'll resend.

regards,
dan carpenter


^ permalink raw reply	[flat|nested] 7+ messages in thread
* RE: [patch] rapidio: use after free in unregister function
  2013-07-05  7:19   ` Dan Carpenter
@ 2013-07-05 19:04     ` Bounine, Alexandre
  0 siblings, 0 replies; 7+ messages in thread
From: Bounine, Alexandre @ 2013-07-05 19:04 UTC (permalink / raw)
  To: Dan Carpenter, Ryan Mallon; +Cc: Matt Porter, linux-kernel, kernel-janitors

> From: Dan Carpenter [mailto:dan.carpenter@oracle.com]
> Sent: Friday, July 05, 2013 3:19 AM
> To: Ryan Mallon
> Cc: Matt Porter; Bounine, Alexandre; linux-kernel@vger.kernel.org;
> kernel-janitors@vger.kernel.org
> Subject: Re: [patch] rapidio: use after free in unregister function
> 
> On Fri, Jul 05, 2013 at 05:06:14PM +1000, Ryan Mallon wrote:
> > On 05/07/13 16:02, Dan Carpenter wrote:
> > It looks like an mport_id can only be assigned to one scan entry (see
> > rio_register_scan), so you can use list_for_each_entry and break;
> after
> > the kfree(scan); instead.
> 
> Yeah.  You're right.  I'll resend.
> 
> regards,
> dan carpenter

Thank you for catching it. Missed it because we have only one enumerator so far.

Alex.

^ permalink raw reply	[flat|nested] 7+ messages in thread
* [patch v2] rapidio: use after free in unregister function
  2013-07-05  7:06 ` Ryan Mallon
  2013-07-05  7:19   ` Dan Carpenter
@ 2013-07-05 20:39   ` Dan Carpenter
  2013-07-05 23:26     ` Ryan Mallon
  2013-07-08 11:55     ` Bounine, Alexandre
  1 sibling, 2 replies; 7+ messages in thread
From: Dan Carpenter @ 2013-07-05 20:39 UTC (permalink / raw)
  To: Matt Porter; +Cc: Alexandre Bounine, Ryan Mallon, linux-kernel, kernel-janitors

We're freeing the list iterator so we can't move to the next entry.
Since there is only one matching mport_id, we can just break after
finding it.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
v2: cleaner fix than v1

diff --git a/drivers/rapidio/rio.c b/drivers/rapidio/rio.c
index f4f30af..2e8a20c 100644
--- a/drivers/rapidio/rio.c
+++ b/drivers/rapidio/rio.c
@@ -1715,11 +1715,13 @@ int rio_unregister_scan(int mport_id, struct rio_scan *scan_ops)
 		    (mport_id == RIO_MPORT_ANY && port->nscan == scan_ops))
 			port->nscan = NULL;
 
-	list_for_each_entry(scan, &rio_scans, node)
+	list_for_each_entry(scan, &rio_scans, node) {
 		if (scan->mport_id == mport_id) {
 			list_del(&scan->node);
 			kfree(scan);
+			break;
 		}
+	}
 
 	mutex_unlock(&rio_mport_list_lock);
 

^ permalink raw reply related	[flat|nested] 7+ messages in thread
* Re: [patch v2] rapidio: use after free in unregister function
  2013-07-05 20:39   ` [patch v2] " Dan Carpenter
@ 2013-07-05 23:26     ` Ryan Mallon
  2013-07-08 11:55     ` Bounine, Alexandre
  1 sibling, 0 replies; 7+ messages in thread
From: Ryan Mallon @ 2013-07-05 23:26 UTC (permalink / raw)
  To: Dan Carpenter
  Cc: Matt Porter, Alexandre Bounine, linux-kernel, kernel-janitors

On 06/07/13 06:39, Dan Carpenter wrote:

> We're freeing the list iterator so we can't move to the next entry.
> Since there is only one matching mport_id, we can just break after
> finding it.
> 
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> v2: cleaner fix than v1
> 
> diff --git a/drivers/rapidio/rio.c b/drivers/rapidio/rio.c
> index f4f30af..2e8a20c 100644
> --- a/drivers/rapidio/rio.c
> +++ b/drivers/rapidio/rio.c
> @@ -1715,11 +1715,13 @@ int rio_unregister_scan(int mport_id, struct rio_scan *scan_ops)
>  		    (mport_id == RIO_MPORT_ANY && port->nscan == scan_ops))
>  			port->nscan = NULL;
>  
> -	list_for_each_entry(scan, &rio_scans, node)
> +	list_for_each_entry(scan, &rio_scans, node) {
>  		if (scan->mport_id == mport_id) {
>  			list_del(&scan->node);
>  			kfree(scan);
> +			break;
>  		}
> +	}
>  
>  	mutex_unlock(&rio_mport_list_lock);
>  


Reviewed-by: Ryan Mallon <rmallon@gmail.com>


^ permalink raw reply	[flat|nested] 7+ messages in thread
* RE: [patch v2] rapidio: use after free in unregister function
  2013-07-05 20:39   ` [patch v2] " Dan Carpenter
  2013-07-05 23:26     ` Ryan Mallon
@ 2013-07-08 11:55     ` Bounine, Alexandre
  1 sibling, 0 replies; 7+ messages in thread
From: Bounine, Alexandre @ 2013-07-08 11:55 UTC (permalink / raw)
  To: Dan Carpenter, Matt Porter; +Cc: Ryan Mallon, linux-kernel, kernel-janitors

On Friday, July 05, 2013 4:39 PM, Dan Carpenter wrote:

> We're freeing the list iterator so we can't move to the next entry.
> Since there is only one matching mport_id, we can just break after
> finding it.
> 
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> v2: cleaner fix than v1
> 
> diff --git a/drivers/rapidio/rio.c b/drivers/rapidio/rio.c
> index f4f30af..2e8a20c 100644
> --- a/drivers/rapidio/rio.c
> +++ b/drivers/rapidio/rio.c
> @@ -1715,11 +1715,13 @@ int rio_unregister_scan(int mport_id, struct
> rio_scan *scan_ops)
>  		    (mport_id == RIO_MPORT_ANY && port->nscan == scan_ops))
>  			port->nscan = NULL;
> 
> -	list_for_each_entry(scan, &rio_scans, node)
> +	list_for_each_entry(scan, &rio_scans, node) {
>  		if (scan->mport_id == mport_id) {
>  			list_del(&scan->node);
>  			kfree(scan);
> +			break;
>  		}
> +	}
> 
>  	mutex_unlock(&rio_mport_list_lock);
>

Acked-by: Alexandre Bounine <alexandre.bounine@idt.com>

 

^ permalink raw reply	[flat|nested] 7+ messages in thread
end of thread, other threads:[~2013-07-08 11:56 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-07-05  6:02 [patch] rapidio: use after free in unregister function Dan Carpenter
2013-07-05  7:06 ` Ryan Mallon
2013-07-05  7:19   ` Dan Carpenter
2013-07-05 19:04     ` Bounine, Alexandre
2013-07-05 20:39   ` [patch v2] " Dan Carpenter
2013-07-05 23:26     ` Ryan Mallon
2013-07-08 11:55     ` Bounine, Alexandre

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).