* Andrew Morton ([EMAIL PROTECTED]) wrote: > On Thu, 19 Jul 2007 21:09:09 -0400 > Mathieu Desnoyers <[EMAIL PROTECTED]> wrote: > > > Coverity spotted what looks like a real possible case of using a > > variable after it has been freed. > > The problem is in kernel/relay.c::relay_open_buf() > > > > If the code hits "goto free_buf;" it ends up in this code : > > > > free_buf: > > relay_destroy_buf(buf); <--- calls kfree() on 'buf'. > > free_name: > > kfree(tmpname); > > end: > > return buf; <-- use after free of 'buf'. > > > > I read through the callers and they all handle a NULL return > > from this function as an error (and hitting the 'free_buf' label > > only happens on failure to chan->cb->create_buf_file(), so that > > looks like a clear error to me). > > > > The patch simply sets 'buf' to NULL after the call to > > relay_destroy_buf(buf); - as far as I can see that should take > > care of the problem. > > > > The patch also corrects a reference to a documentation file while > > I was at it. > > > > Note from Mathieu: the documentation reference change should have been > > done in a separate patch, but I guess no one will really care. > > > > Signed-off-by: Jesper Juhl <[EMAIL PROTECTED]> > > Acked-by: "David J. Wilder" <[EMAIL PROTECTED]> > > Tested-by: "David J. Wilder" <[EMAIL PROTECTED]> > > Signed-off-by: Mathieu Desnoyers <[EMAIL PROTECTED]> > > I'm going to infer from all this that the patch was actually written > by Jesper. Correct? > > If so, it shuld have had From: Jesper Juhl <[EMAIL PROTECTED]> > right at the start of the changelog.
Yes, it's the case. Thanks. -- Mathieu Desnoyers Computer Engineering Ph.D. Student, Ecole Polytechnique de Montreal OpenPGP key fingerprint: 8CD5 52C3 8E3C 4140 715F BA06 3F25 A8FE 3BAE 9A68 - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
