From patchwork Tue Jul 12 08:03:28 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Hajnoczi X-Patchwork-Id: 967522 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by demeter2.kernel.org (8.14.4/8.14.4) with ESMTP id p6C8CMMZ015567 for ; Tue, 12 Jul 2011 08:12:24 GMT Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751642Ab1GLIEB (ORCPT ); Tue, 12 Jul 2011 04:04:01 -0400 Received: from mtagate5.uk.ibm.com ([194.196.100.165]:48257 "EHLO mtagate5.uk.ibm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751487Ab1GLIDy (ORCPT ); Tue, 12 Jul 2011 04:03:54 -0400 Received: from d06nrmr1806.portsmouth.uk.ibm.com (d06nrmr1806.portsmouth.uk.ibm.com [9.149.39.193]) by mtagate5.uk.ibm.com (8.13.1/8.13.1) with ESMTP id p6C83fBs000957; Tue, 12 Jul 2011 08:03:41 GMT Received: from d06av08.portsmouth.uk.ibm.com (d06av08.portsmouth.uk.ibm.com [9.149.37.249]) by d06nrmr1806.portsmouth.uk.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id p6C83cLt2117744; Tue, 12 Jul 2011 09:03:39 +0100 Received: from d06av08.portsmouth.uk.ibm.com (loopback [127.0.0.1]) by d06av08.portsmouth.uk.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id p6C83adq023731; Tue, 12 Jul 2011 09:03:37 +0100 Received: from stefanha-thinkpad.manchester-maybrook.uk.ibm.com (dyn-9-174-219-30.manchester-maybrook.uk.ibm.com [9.174.219.30]) by d06av08.portsmouth.uk.ibm.com (8.14.4/8.13.1/NCO v10.0 AVin) with ESMTP id p6C83ZAi023704; Tue, 12 Jul 2011 09:03:36 +0100 From: Stefan Hajnoczi To: Len Brown , Anton Vorontsov , David Woodhouse Cc: linux-acpi@vger.kernel.org, linux-kernel@vger.kernel.org, Stefan Hajnoczi Subject: [PATCH 2/3] ACPI / Battery: avoid acpi_battery_add() use-after-free Date: Tue, 12 Jul 2011 09:03:28 +0100 Message-Id: <1310457809-2731-3-git-send-email-stefanha@linux.vnet.ibm.com> X-Mailer: git-send-email 1.7.5.4 In-Reply-To: <1310457809-2731-1-git-send-email-stefanha@linux.vnet.ibm.com> References: <1310457809-2731-1-git-send-email-stefanha@linux.vnet.ibm.com> Sender: linux-acpi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-acpi@vger.kernel.org X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-4.2.6 (demeter2.kernel.org [140.211.167.43]); Tue, 12 Jul 2011 08:12:24 +0000 (UTC) When acpi_battery_add_fs() fails the error handling code does not clean up completely. Moreover, it does not return resulting in a use-after-free. Signed-off-by: Stefan Hajnoczi --- drivers/acpi/battery.c | 18 ++++++++++++------ 1 files changed, 12 insertions(+), 6 deletions(-) diff --git a/drivers/acpi/battery.c b/drivers/acpi/battery.c index fcc13ac..6b3aeba 100644 --- a/drivers/acpi/battery.c +++ b/drivers/acpi/battery.c @@ -979,21 +979,27 @@ static int acpi_battery_add(struct acpi_device *device) #ifdef CONFIG_ACPI_PROCFS_POWER result = acpi_battery_add_fs(device); #endif - if (!result) { - printk(KERN_INFO PREFIX "%s Slot [%s] (battery %s)\n", - ACPI_BATTERY_DEVICE_NAME, acpi_device_bid(device), - device->status.battery_present ? "present" : "absent"); - } else { + if (result) { #ifdef CONFIG_ACPI_PROCFS_POWER acpi_battery_remove_fs(device); #endif - kfree(battery); + goto fail; } + printk(KERN_INFO PREFIX "%s Slot [%s] (battery %s)\n", + ACPI_BATTERY_DEVICE_NAME, acpi_device_bid(device), + device->status.battery_present ? "present" : "absent"); + battery->pm_nb.notifier_call = battery_notify; register_pm_notifier(&battery->pm_nb); return result; + +fail: + sysfs_remove_battery(battery); + mutex_destroy(&battery->lock); + kfree(battery); + return result; } static int acpi_battery_remove(struct acpi_device *device, int type)