BLASTing Linux Code

Jan Tobias Mühlberg and Gerald Lüttgen
Department of Computer Science, University of York, York YO10 5DD, U.K.


main page | next example


Commit Overview | Files | Comments

Checking Memory Safety: Example 8


Commit Overview

Commit Key 67a69cdd748de32d9991056c207f7ab3798230a5
Subject [PATCH] PCI: fix hotplug double free
Description With the brackets missed out func could be freed twice.
Found by Coverity tool
Requires Linux 2.6.1 kernel source as from git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/linux-2.6.11.y.git

--- a/drivers/pci/hotplug/pciehp_ctrl.c
+++ b/drivers/pci/hotplug/pciehp_ctrl.c
@@ -1354,10 +1354,11 @@ static u32 remove_board(struct pci_func
dbg("PCI Bridge Hot-Remove s:b:d:f(%02x:%02x:%02x:%02x)\n",
ctrl->seg, func->bus, func->device, func->function);
bridge_slot_remove(func);
- } else
+ } else {
dbg("PCI Function Hot-Remove s:b:d:f(%02x:%02x:%02x:%02x)\n",
ctrl->seg, func->bus, func->device, func->function);
slot_remove(func);
+ }
func = pciehp_slot_find(ctrl->slot_bus, device, 0);
}

(purple: line numbers and function names; red: line removed; green: line added)

Files

Unmodified sources

Comments

The error in this example resides in lines 1357 to 1360 of the source file. The two functions bridge_slot_remove() and slot_remove() basically do the same thing -- calling kfree() on the parameter. Hence, without the brackets around lines 1358 to 1360 the pointer func could be freed twice. Despite this, slot_remove() performs several checks on func whereas the already freed pointer gets de-referenced.

Using BLAST we were able to find this bug on a manually simplified version of the source code.

Source: http://www.kernel.org



Jan Tobias Mühlberg, $Date$