From patchwork Sat May 15 09:46:54 2010
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Julia Lawall <julia@diku.dk>
X-Patchwork-Id: 3390
Return-path: <linux-media-owner@vger.kernel.org>
Envelope-to: mchehab@infradead.org
Delivery-date: Sat, 15 May 2010 09:47:24 +0000
Received: from bombadil.infradead.org [18.85.46.34]
	by pedra with IMAP (fetchmail-6.3.6)
	for <mchehab@localhost> (single-drop);
	Sat, 15 May 2010 22:46:08 -0300 (BRT)
Received: from vger.kernel.org ([209.132.180.67])
	by bombadil.infradead.org with esmtp (Exim 4.69 #1 (Red Hat Linux))
	id 1ODDxs-0004XI-LV; Sat, 15 May 2010 09:47:24 +0000
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754128Ab0EOJrB (ORCPT <rfc822; kmpark@infradead.org> + 1 other);
	Sat, 15 May 2010 05:47:01 -0400
Received: from mgw1.diku.dk ([130.225.96.91]:44228 "EHLO mgw1.diku.dk"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1753446Ab0EOJq7 (ORCPT <rfc822;linux-media@vger.kernel.org>);
	Sat, 15 May 2010 05:46:59 -0400
Received: from localhost (localhost [127.0.0.1])
	by mgw1.diku.dk (Postfix) with ESMTP id B268252C532;
	Sat, 15 May 2010 11:46:58 +0200 (CEST)
Received: from mgw1.diku.dk ([127.0.0.1])
	by localhost (mgw1.diku.dk [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id 3o4A1FOQgKuW; Sat, 15 May 2010 11:46:54 +0200 (CEST)
Received: from nhugin.diku.dk (nhugin.diku.dk [130.225.96.140])
	by mgw1.diku.dk (Postfix) with ESMTP id 3283252C4FB;
	Sat, 15 May 2010 11:46:54 +0200 (CEST)
Received: from ask.diku.dk (ask.diku.dk [130.225.96.225])
	by nhugin.diku.dk (Postfix) with ESMTP
	id 552E66DFD17; Sat, 15 May 2010 11:39:43 +0200 (CEST)
Received: by ask.diku.dk (Postfix, from userid 3767)
	id 185AD200BE; Sat, 15 May 2010 11:46:54 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by ask.diku.dk (Postfix) with ESMTP id 10B74200BC;
	Sat, 15 May 2010 11:46:54 +0200 (CEST)
Date: Sat, 15 May 2010 11:46:54 +0200 (CEST)
From: Julia Lawall <julia@diku.dk>
To: Mauro Carvalho Chehab <mchehab@infradead.org>,
	linux-media@vger.kernel.org, linux-kernel@vger.kernel.org,
	kernel-janitors@vger.kernel.org
Subject: [PATCH 4/4] drivers/media/video: Eliminate use after free
Message-ID: <Pine.LNX.4.64.1005151146370.15566@ask.diku.dk>
MIME-Version: 1.0
Sender: linux-media-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-media.vger.kernel.org>
X-Mailing-List: linux-media@vger.kernel.org

From: Julia Lawall <julia@diku.dk>

The error value is saved in a new local variable err before freeing the
containing structure.

A simplified version of the semantic match that finds this problem is as
follows: (http://coccinelle.lip6.fr/)

// <smpl>
@free@
expression E;
position p;
@@
kfree@p(E)

@@
expression free.E, subE<=free.E, E1;
position free.p;
@@

  kfree@p(E)
  ...
(
  subE = E1
|
* E
)
// </smpl>

Signed-off-by: Julia Lawall <julia@diku.dk>
---
 drivers/media/video/mem2mem_testdev.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/drivers/media/video/mem2mem_testdev.c b/drivers/media/video/mem2mem_testdev.c
index baf211b..fb73f34 100644
--- a/drivers/media/video/mem2mem_testdev.c
+++ b/drivers/media/video/mem2mem_testdev.c
@@ -858,6 +858,7 @@ static int m2mtest_open(struct file *file)
 {
 	struct m2mtest_dev *dev = video_drvdata(file);
 	struct m2mtest_ctx *ctx = NULL;
+	int err;
 
 	ctx = kzalloc(sizeof *ctx, GFP_KERNEL);
 	if (!ctx)
@@ -871,8 +872,9 @@ static int m2mtest_open(struct file *file)
 
 	ctx->m2m_ctx = v4l2_m2m_ctx_init(ctx, dev->m2m_dev, queue_init);
 	if (IS_ERR(ctx->m2m_ctx)) {
+		err = PTR_ERR(ctx->m2m_ctx);
 		kfree(ctx);
-		return PTR_ERR(ctx->m2m_ctx);
+		return err;
 	}
 
 	atomic_inc(&dev->num_inst);