BLASTing Linux Code

Jan Tobias Mühlberg and Gerald Lüttgen
Department of Computer Science, University of York, York YO10 5DD, U.K.

main page | next example

Commit Overview | Files | Comments

Checking Memory Safety: Example 2

Commit Overview

Commit Key 2d6eac6c4fdaa69656d66c80754d267be233cc3f
Subject [PATCH] drivers/infiniband/core/mad.c: fix a use-after-free
Description The Coverity checker spotted this obvious use-after-free caused by a wrong order of the cleanups.
Requires Linux 2.6.14 kernel source as from git://

--- a/drivers/infiniband/core/mad.c
+++ b/drivers/infiniband/core/mad.c
@@ -356,9 +356,9 @@ error4:
spin_unlock_irqrestore(&port_priv->reg_lock, flags);
- kfree(mad_agent_priv);
+ kfree(mad_agent_priv);
return ret;

(purple: line numbers and function names; red: line removed; green: line added)


Unmodified sources


This example is actually quite similar to example 1. The bug results from a wrong oder of the labels used in the different error cases. If the execution of ib_register_mad_agent() ever jumps to either error4 or error3, it will first release the pointer mad_agent_priv in line 359 but de-reference it again in line 361.

While experimenting with this error, we experienced the same problems as with example 1.


Jan Tobias Mühlberg, $Date$