AcoSail/kernel_optimize_test
8
0
Fork 0
forked from luck/tmp_suning_uos_patched
Code Pull Requests Activity
3b73e79b0d
kernel_optimize_test/net
History
Christian Lamparter 9e81eccf19 cfg80211: double free in __cfg80211_scan_done 
This patch fixes a double free corruption in __cfg80211_scan_done:

 ================================================
 BUG kmalloc-512: Object already free
 ------------------------------------------------

 INFO: Allocated in load_elf_binary+0x18b/0x19af age=6
 INFO: Freed in load_elf_binary+0x104e/0x19af age=5
 INFO: Slab 0xffffea0001bae4c0 objects=14 used=7
 INFO: Object 0xffff88007e8a9918 @offset=6424 fp=0xffff88007e8a9488

 Bytes b4 0xffff88007e8a9908:  00 00 00 00 00 00 00 00 5a 5a
 [...]
 Pid: 28705, comm: rmmod Tainted: P         C 2.6.31-rc2-wl #1
 Call Trace:
  [<ffffffff810da9f4>] print_trailer+0x14e/0x16e
  [<ffffffff810daa56>] object_err+0x42/0x61
  [<ffffffff810dbcd9>] __slab_free+0x2af/0x396
  [<ffffffffa0ec9694>] ? wiphy_unregister+0x92/0x142 [cfg80211]
  [<ffffffff810dd5e3>] kfree+0x13c/0x17a
  [<ffffffffa0ec9694>] ? wiphy_unregister+0x92/0x142 [cfg80211]
  [<ffffffffa0ec9694>] wiphy_unregister+0x92/0x142 [cfg80211]
  [<ffffffffa0eed163>] ieee80211_unregister_hw+0xc8/0xff [mac80211]
  [<ffffffffa0f3fbc8>] p54_unregister_common+0x31/0x66 [p54common]
  [...]
 FIX kmalloc-512: Object at 0xffff88007e8a9918 not freed

The code path which leads to the *funny* double free:

       request = rdev->scan_req;
       dev = dev_get_by_index(&init_net, request->ifidx);
	/*
	 * the driver was unloaded recently and
	 * therefore dev_get_by_index will return NULL!
	 */
        if (!dev)
                goto out;
	[...]
	rdev->scan_req = NULL; /* not executed... */
	[...]
 out:
        kfree(request);

Signed-off-by: Christian Lamparter <chunkeey@web.de>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-07-21 12:07:44 -04:00
..
9p net/9p: Fix crash due to bad mount parameters. 2009-07-02 13:17:01 -07:00
802
8021q
appletalk
atm net: adding memory barrier to the poll and receive callbacks 2009-07-09 17:06:57 -07:00
ax25
bluetooth
bridge bridge: Use rcu_barrier() instead of syncronize_net() on unload. 2009-06-26 13:51:32 -07:00
can net/can: add module alias to can protocol drivers 2009-07-15 11:20:38 -07:00
core Fix error return for setsockopt(SO_TIMESTAMPING) 2009-07-20 08:23:36 -07:00
dcb
dccp net: adding memory barrier to the poll and receive callbacks 2009-07-09 17:06:57 -07:00
decnet decnet: Use rcu_barrier() on module unload. 2009-06-26 13:51:27 -07:00
dsa dsa: fix 88e6xxx statistics counter snapshotting 2009-07-05 18:03:35 -07:00
econet
ethernet
ieee802154 nl802154: add module license and description 2009-06-29 18:20:28 +04:00
ipv4 tcp: Use correct peer adr when copying MD5 keys 2009-07-20 07:49:08 -07:00
ipv6 tcp: Use correct peer adr when copying MD5 keys 2009-07-20 07:49:08 -07:00
ipx
irda
iucv net: adding memory barrier to the poll and receive callbacks 2009-07-09 17:06:57 -07:00
key
lapb
llc
mac80211 mac80211: use correct address for mesh Path Error 2009-07-21 12:07:40 -04:00
netfilter netfilter: nf_conntrack: nf_conntrack_alloc() fixes 2009-07-16 14:03:40 +02:00
netlabel
netlink
netrom
packet
phonet Phonet: generate Netlink RTM_DELADDR when destroying a device 2009-06-25 02:58:16 -07:00
rds
rfkill rfkill: fix rfkill_set_states() to set the hw state 2009-07-21 12:07:38 -04:00
rose
rxrpc net: adding memory barrier to the poll and receive callbacks 2009-07-09 17:06:57 -07:00
sched
sctp sctp: fix warning at inet_sock_destruct() while release sctp socket 2009-07-06 12:47:08 -07:00
sunrpc sunrpc: Use rcu_barrier() on unload. 2009-06-26 13:51:34 -07:00
tipc
unix net: adding memory barrier to the poll and receive callbacks 2009-07-09 17:06:57 -07:00
wanrouter
wimax
wireless cfg80211: double free in __cfg80211_scan_done 2009-07-21 12:07:44 -04:00
x25
xfrm xfrm: use xfrm_addr_cmp() instead of compare addresses directly 2009-06-29 19:41:46 -07:00
compat.c
Kconfig
Makefile
nonet.c
socket.c
sysctl_net.c
TUNABLE