linux/drivers/char/agp
Jesper Juhl bdc3e603cd fix use after free in amd create gatt pages
Coverity spotted a "use after free" bug in
drivers/char/agp/amd-k7-agp.c::amd_create_gatt_pages().

The problem is this:
	If "entry = kzalloc(sizeof(struct amd_page_map), GFP_KERNEL);"
fails, then there's a loop in the function to free all entries
allocated so far and break out of the allocation loop. That in itself
is pretty sane, but then the (now freed) 'tables' is assigned to
amd_irongate_private.gatt_pages and 'retval' is set to -ENOMEM which
causes amd_free_gatt_pages(); to be called at the end of the function.
The problem with this is that amd_free_gatt_pages() will then loop
'amd_irongate_private.num_tables' times and try to free each entry in
tables[] - this is bad since tables has already been freed and
furthermore it will call kfree(tables) at the end - a double free.

This patch removes the freeing loop in amd_create_gatt_pages() and
instead relies entirely on the call to amd_free_gatt_pages() to free
everything we allocated in case of an error. It also sets
amd_irongate_private.num_tables to the actual number of entries
allocated instead of just using the value passed in from the caller -
this ensures that amd_free_gatt_pages() will only attempt to free
stuff that was actually allocated.

Signed-off-by: Jesper Juhl <jesper.juhl@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2007-10-15 10:32:15 +10:00
..
agp.h AGP fix race condition between unmapping and freeing pages 2007-10-15 10:32:15 +10:00
ali-agp.c AGP fix race condition between unmapping and freeing pages 2007-10-15 10:32:15 +10:00
alpha-agp.c PCI: Convert to alloc_pci_dev() 2007-05-02 19:02:37 -07:00
amd64-agp.c PCI: Change all drivers to use pci_device->revision 2007-07-11 16:02:10 -07:00
amd-k7-agp.c fix use after free in amd create gatt pages 2007-10-15 10:32:15 +10:00
ati-agp.c agp: balance ioremap checks 2007-08-25 18:14:00 +10:00
backend.c AGP fix race condition between unmapping and freeing pages 2007-10-15 10:32:15 +10:00
compat_ioctl.c Remove fs.h from mm.h 2007-07-29 17:09:29 -07:00
compat_ioctl.h [AGPGART] compat ioctl 2007-02-03 17:16:24 -05:00
efficeon-agp.c efficeon-agp leaks 'struct agp_bridge_data' in error paths of agp_efficeon_probe() 2007-08-06 07:30:20 +10:00
frontend.c Remove fs.h from mm.h 2007-07-29 17:09:29 -07:00
generic.c AGP fix race condition between unmapping and freeing pages 2007-10-15 10:32:15 +10:00
hp-agp.c agp: balance ioremap checks 2007-08-25 18:14:00 +10:00
i460-agp.c AGP fix race condition between unmapping and freeing pages 2007-10-15 10:32:15 +10:00
intel-agp.c AGP fix race condition between unmapping and freeing pages 2007-10-15 10:32:15 +10:00
isoch.c [AGPGART] Lots of CodingStyle/whitespace cleanups. 2006-02-28 00:54:25 -05:00
Kconfig agp: AMD AGP is used on UP1100 & UP1500 alpha boxen 2007-07-27 10:56:43 +10:00
Makefile [AGPGART] Fix modular agpgart ia64 allmodconfig 2007-02-20 14:18:01 -05:00
nvidia-agp.c agp: balance ioremap checks 2007-08-25 18:14:00 +10:00
parisc-agp.c PCI: Convert to alloc_pci_dev() 2007-05-02 19:02:37 -07:00
sgi-agp.c agp: don't lock pages 2007-07-27 10:46:26 +10:00
sis-agp.c [AGPGART] prevent probe collision of sis-agp and amd64_agp 2007-04-26 14:22:50 -04:00
sworks-agp.c [AGPGART] sworks-agp: Switch to PCI ref counting APIs 2007-04-26 14:22:51 -04:00
uninorth-agp.c [POWERPC] Rename get_property to of_get_property: drivers 2007-05-02 20:04:32 +10:00
via-agp.c agp: Add device id for P4M900 to via-agp module 2007-08-25 18:10:52 +10:00