From: Julia Lawall <julia@diku.dk>
Date: Fri, 2 Apr 2010 02:47:13 +0000 (+0000)
Subject: powerpc/pseries/dlpar: Eliminate use after free
X-Git-Tag: v2.6.35-rc1~450^2~75
X-Git-Url: https://bbs.cooldavid.org/git/?a=commitdiff_plain;h=a7df5c5e52a545774c4db1f2adf09ede018ab139;p=net-next-2.6.git

powerpc/pseries/dlpar: Eliminate use after free

dlpar_free_cc_nodes frees its argument, so dlpar_online_cpu should not be
called on the same value.  Skip over the call to dlpar_online_cpu by
jumping directly to out.

A simplified version of the semantic patch that finds this problem is as
follows: (http://coccinelle.lip6.fr/)

// <smpl>
@@
expression E,E2;
@@

dlpar_free_cc_nodes(E)
...
(
  E = E2
|
* E
)
// </smpl>

Signed-off-by: Julia Lawall <julia@diku.dk>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
---

diff --git a/arch/powerpc/platforms/pseries/dlpar.c b/arch/powerpc/platforms/pseries/dlpar.c
index e1682bc168a..1540a41d1a8 100644
--- a/arch/powerpc/platforms/pseries/dlpar.c
+++ b/arch/powerpc/platforms/pseries/dlpar.c
@@ -433,6 +433,7 @@ static ssize_t dlpar_cpu_probe(const char *buf, size_t count)
 	if (rc) {
 		dlpar_release_drc(drc_index);
 		dlpar_free_cc_nodes(dn);
+		goto out;
 	}
 
 	rc = dlpar_online_cpu(dn);