| From 8a52da632ceb9d8b776494563df579e87b7b586b Mon Sep 17 00:00:00 2001 |
| From: Julia Lawall <julia@diku.dk> |
| Date: Sat, 15 May 2010 11:46:12 +0200 |
| Subject: SCSI: aacraid: Eliminate use after free |
| |
| From: Julia Lawall <julia@diku.dk> |
| |
| commit 8a52da632ceb9d8b776494563df579e87b7b586b upstream. |
| |
| The debugging code using the freed structure is moved before the kfree. |
| |
| A simplified version of the semantic match that finds this problem is as |
| follows: (http://coccinelle.lip6.fr/) |
| |
| // <smpl> |
| @free@ |
| expression E; |
| position p; |
| @@ |
| kfree@p(E) |
| |
| @@ |
| expression free.E, subE<=free.E, E1; |
| position free.p; |
| @@ |
| |
| kfree@p(E) |
| ... |
| ( |
| subE = E1 |
| | |
| * E |
| ) |
| // </smpl> |
| |
| Signed-off-by: Julia Lawall <julia@diku.dk> |
| Signed-off-by: James Bottomley <James.Bottomley@suse.de> |
| |
| --- |
| drivers/scsi/aacraid/commctrl.c | 4 ++-- |
| 1 file changed, 2 insertions(+), 2 deletions(-) |
| |
| --- a/drivers/scsi/aacraid/commctrl.c |
| +++ b/drivers/scsi/aacraid/commctrl.c |
| @@ -655,9 +655,9 @@ static int aac_send_raw_srb(struct aac_d |
| /* Does this really need to be GFP_DMA? */ |
| p = kmalloc(usg->sg[i].count,GFP_KERNEL|__GFP_DMA); |
| if(!p) { |
| - kfree (usg); |
| - dprintk((KERN_DEBUG"aacraid: Could not allocate SG buffer - size = %d buffer number %d of %d\n", |
| + dprintk((KERN_DEBUG "aacraid: Could not allocate SG buffer - size = %d buffer number %d of %d\n", |
| usg->sg[i].count,i,usg->count)); |
| + kfree(usg); |
| rcode = -ENOMEM; |
| goto cleanup; |
| } |
