greybus: power_supply: fix use after free of power supply
authorRui Miguel Silva <rui.silva@linaro.org>
Fri, 8 Jan 2016 13:53:47 +0000 (13:53 +0000)
committerGreg Kroah-Hartman <gregkh@google.com>
Tue, 12 Jan 2016 03:18:14 +0000 (19:18 -0800)
Individual power supply were being freed and checked using the wrong
pointers and at the wrong place, which would make several issues, like
used after free and so on.
Fix it by freeing all allocated memory after release individual power
supply.

Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>
Reported-by: Johan Hovold <johan@hovoldconsulting.com>
Reviewed-by: Johan Hovold <johan@hovoldconsulting.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
drivers/staging/greybus/power_supply.c

index 3c9bb12351e447f422a4b3ba50e10dd011908934..d985e13b5a0de545074668a9d41c8874beb83cc4 100644 (file)
@@ -544,13 +544,10 @@ static void _gb_power_supply_free(struct gb_power_supply *gbpsy)
        kfree(gbpsy->manufacturer);
        kfree(gbpsy->props_raw);
        kfree(gbpsy->props);
-       kfree(gbpsy);
 }
 
 static void _gb_power_supply_release(struct gb_power_supply *gbpsy)
 {
-       if (!gbpsy)
-               return;
 
        gbpsy->update_interval = 0;
 
@@ -576,6 +573,7 @@ static void _gb_power_supplies_release(struct gb_power_supplies *supplies)
        mutex_lock(&supplies->supplies_lock);
        for (i = 0; i < supplies->supplies_count; i++)
                _gb_power_supply_release(&supplies->supply[i]);
+       kfree(supplies->supply);
        mutex_unlock(&supplies->supplies_lock);
        kfree(supplies);
 }