linux/drivers/char
Julia Lawall 0643e4c6e4 drivers/char: Eliminate use after free
In each case, the first argument to send_control_msg or __send_control_msg,
respectively, has either not been successfully allocated or has been freed
at the point of the call.  In the first case, the first argument, port, is
only used to access the portdev and id fields, in order to call
__send_control_msg.  Thus it seems possible instead to call
__send_control_msg directly.  In the second case, the call to
__send_control_msg is moved up to a place where it seems like the first
argument, portdev, has been initialized sufficiently to make the call to
__send_control_msg meaningful.

This has only been compile tested.

A simplified version of the semantic match that finds this problem is as
follows: (http://coccinelle.lip6.fr/)

// <smpl>
@free@
expression E;
position p;
@@
kfree@p(E)

@@
expression free.E, subE<=free.E, E1;
position free.p;
@@

  kfree@p(E)
  ...
(
  subE = E1
|
* E
)
// </smpl>

Signed-off-by: Julia Lawall <julia@diku.dk>
Acked-by: Amit Shah <amit.shah@redhat.com>
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2010-05-19 22:15:51 +09:30
..
agp Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/anholt/drm-intel 2010-04-17 14:28:50 -07:00
hw_random virtio-rng: use virtqueue_xxx wrappers 2010-05-19 22:15:45 +09:30
ip2 Merge branch 'for-next' into for-linus 2010-03-08 16:55:37 +01:00
ipmi sysfs: fix sysfs lockdep warning in ipmi code 2010-03-19 07:12:12 -07:00
mwave mwave: fix read buffer overflow 2009-09-24 07:21:03 -07:00
pcmcia pcmcia: fix error handling in cm4000_cs.c 2010-04-19 16:04:13 +02:00
rio include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
tpm include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
xilinx_hwicap include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
.gitignore
amiserial.c drivers/char/amiserial.c: add missing local_irq_restore 2010-04-07 08:38:02 -07:00
apm-emulation.c const: constify remaining file_operations 2009-10-01 16:11:11 -07:00
applicom.c tree-wide: Assorted spelling fixes 2010-02-09 11:13:56 +01:00
applicom.h
bfin_jtag_comm.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
bfin-otp.c const: constify remaining file_operations 2009-10-01 16:11:11 -07:00
briq_panel.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
bsr.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
cd1865.h
consolemap.c
cp437.uni
cs5535_gpio.c drivers: Remove BKL from cs5535_gpio 2009-10-14 17:36:48 +02:00
cyclades.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
defkeymap.c_shipped
defkeymap.map
digi1.h
digiFep1.h
digiPCI.h
ds1302.c
ds1620.c
dsp56k.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
dtlk.c headers: remove sched.h from poll.h 2009-10-04 15:05:10 -07:00
efirtc.c efirtc: explicitly set llseek to no_llseek 2009-12-16 07:19:59 -08:00
epca.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
epca.h
epcaconfig.h
generic_nvram.c nvram: Drop the bkl from nvram_llseek() 2009-10-14 17:36:49 +02:00
generic_serial.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
genrtc.c headers: Fix build after <linux/sched.h> removal 2009-10-13 10:20:16 -07:00
hangcheck-timer.c
hpet.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
hvc_beat.c Merge branch 'next-devicetree' of git://git.secretlab.ca/git/linux-2.6 2010-02-25 15:38:37 -08:00
hvc_console.c hvc_console: Fix race between hvc_close and hvc_remove 2010-04-08 09:46:20 +09:30
hvc_console.h hvc_console: make the ops pointer const. 2010-02-24 14:22:32 +10:30
hvc_irq.c hvc_console: Call free_irq() only if request_irq() was successful 2009-01-13 14:48:01 +11:00
hvc_iseries.c Merge branch 'for-next' into for-linus 2010-03-08 16:55:37 +01:00
hvc_iucv.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
hvc_rtas.c hvc_console: make the ops pointer const. 2010-02-24 14:22:32 +10:30
hvc_udbg.c hvc_console: make the ops pointer const. 2010-02-24 14:22:32 +10:30
hvc_vio.c hvc_console: make the ops pointer const. 2010-02-24 14:22:32 +10:30
hvc_xen.c hvc_console: make the ops pointer const. 2010-02-24 14:22:32 +10:30
hvcs.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
hvsi.c powerpc/hvsi: Avoid calculating possibly-invalid address 2009-08-20 10:29:28 +10:00
i8k.c
isicom.c tty: Fix regressions in the char driver conversion 2010-04-30 09:20:33 -07:00
istallion.c tty: Fix regressions in the char driver conversion 2010-04-30 09:20:33 -07:00
Kconfig virtio: console: Associate each port with a char device 2010-02-24 14:22:53 +10:30
keyboard.c Input: add match() method to input hanlders 2010-02-04 00:25:19 -08:00
lp.c lp: move compat_ioctl handling into lp.c 2009-12-10 22:55:36 +01:00
Makefile tty: esp: remove broken driver 2009-12-11 15:18:03 -08:00
mbcs.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
mbcs.h
mem.c frv: hide uncached_access() when pgprot_noncached is not #defined 2010-04-07 08:38:05 -07:00
misc.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
mmtimer.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
moxa.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
moxa.h
mspec.c tree-wide: fix assorted typos all over the place 2009-12-04 15:39:55 +01:00
mxser.c tty: Fix regressions in the char driver conversion 2010-04-30 09:20:33 -07:00
mxser.h
n_hdlc.c headers: smp_lock.h redux 2009-07-12 12:22:34 -07:00
n_r3964.c tree-wide: fix assorted typos all over the place 2009-12-04 15:39:55 +01:00
n_tty.c ldisc n_tty: add new method n_tty_inherit_ops() 2010-03-12 15:52:43 -08:00
nozomi.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
nsc_gpio.c
nvram.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
nwbutton.c
nwbutton.h
nwflash.c ARM: add missing include to nwflash.c 2009-12-19 23:36:00 +00:00
pc8736x_gpio.c drivers: Remove BKL from pc8736x_gpio 2009-10-14 17:36:52 +02:00
ppdev.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
ps3flash.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
pty.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
random.c Fix misspellings of "truly" in comments. 2010-02-04 11:55:45 +01:00
raw.c vfs: rename block_fsync() to blkdev_fsync() 2010-04-07 08:38:04 -07:00
riscom8_reg.h
riscom8.c tty: Fix regressions in the char driver conversion 2010-04-30 09:20:33 -07:00
riscom8.h
rocket_int.h
rocket.c headers: smp_lock.h redux 2009-07-12 12:22:34 -07:00
rocket.h
rtc.c sysctl: Drop & in front of every proc_handler. 2009-11-18 08:37:40 -08:00
scc.h m68k: atari - Rename "mfp" to "st_mfp" 2009-02-22 09:23:02 -08:00
scx200_gpio.c drivers: Remove BKL from scx200_gpio 2009-10-14 17:36:53 +02:00
selection.c tty: rewrite the ldisc locking 2009-06-11 08:51:01 -07:00
ser_a2232.c headers: remove sched.h from interrupt.h 2009-10-11 11:20:58 -07:00
ser_a2232.h
ser_a2232fw.ax
ser_a2232fw.h
serial167.c serial167: Kill unused variables 2010-05-17 21:37:38 +02:00
snsc_event.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
snsc.c
snsc.h
sonypi.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
specialix_io8.h
specialix.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
stallion.c tty: Fix regressions in the char driver conversion 2010-04-30 09:20:33 -07:00
sx.c headers: smp_lock.h redux 2009-07-12 12:22:34 -07:00
sx.h
sxboards.h
sxwindow.h
synclink_gt.c serial: synclink_gt: dropped transmit data bugfix 2010-03-02 14:43:08 -08:00
synclink.c Char: synclink, remove unnecessary checks 2010-03-02 14:43:16 -08:00
synclinkmp.c hdlc: convert to netdev_tx_t 2009-09-01 01:13:31 -07:00
sysrq.c tracing: Dump either the oops's cpu source or all cpus buffers 2010-04-21 23:11:42 +02:00
tb0219.c mips: Remove BKL from tb0219 2009-10-14 17:36:53 +02:00
tlclk.c headers: remove sched.h from interrupt.h 2009-10-11 11:20:58 -07:00
toshiba.c tosh: Use non bkl ioctl 2010-01-04 12:31:21 -08:00
tty_audit.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
tty_buffer.c tty_buffer: Fix distinct type warning 2010-03-19 07:17:55 -07:00
tty_io.c tty: Fix unbalanced BKL handling in error path 2010-05-13 12:10:56 -07:00
tty_ioctl.c tree-wide: fix a very frequent spelling mistake 2009-11-09 09:40:54 +01:00
tty_ldisc.c tty: Fix the ldisc hangup race 2010-03-02 14:43:22 -08:00
tty_port.c tty_port,usb-console: Fix usb serial console open/close regression 2010-03-19 07:17:57 -07:00
uv_mmtimer.c x86, UV: Fix RTC latency bug by reading replicated cachelines 2010-01-27 11:33:53 +01:00
vc_screen.c vc: create vcs(a) devices for consoles 2009-07-20 16:38:43 -07:00
viotape.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
virtio_console.c drivers/char: Eliminate use after free 2010-05-19 22:15:51 +09:30
vme_scc.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
vt_ioctl.c Revert "tty: Add a new VT mode which is like VT_PROCESS but doesn't require a VT_RELDISP ioctl call" 2010-03-19 07:17:52 -07:00
vt.c tree-wide: Assorted spelling fixes 2010-02-09 11:13:56 +01:00