[PATCH] firmware_class: avoid double free

From: Duncan Sands
Date: Sat Oct 02 2004 - 11:52:56 EST

Next message: Adrian Bunk: "Re: 2.6.9-rc3-mm1 build failure"
Previous message: Jean Delvare: "Re: mmap() on cdrom files fails in 2.6.9-rc2-mmX"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The error exit path in request_firmware frees the allocated
struct firmware *firmware, which is good. What is not so good
is that the value of firmware has already been copied out to the
caller as *firmware_p. The risk is that the caller will pass this
to release_firmware, a double free. This is exactly what will
happen if the caller copied the example code

if(request_firmware(&fw_entry, $FIRMWARE, device) == 0)
copy_fw_to_device(fw_entry->data, fw_entry->size);
release(fw_entry);

from the firmware documentation.

--- mm/drivers/base/firmware_class.c.orig 2004-10-02 18:43:00.323005656 +0200
+++ mm/drivers/base/firmware_class.c 2004-10-02 18:43:37.500448654 +0200
@@ -441,6 +441,7 @@

error_kfree_fw:
kfree(firmware);
+ *firmware_p = NULL;
out:
return retval;
}
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Adrian Bunk: "Re: 2.6.9-rc3-mm1 build failure"
Previous message: Jean Delvare: "Re: mmap() on cdrom files fails in 2.6.9-rc2-mmX"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]