diff options
author | Eric Dumazet <eric.dumazet@gmail.com> | 2011-07-11 06:22:21 -0400 |
---|---|---|
committer | Matthew Garrett <mjg@redhat.com> | 2011-07-11 09:52:35 -0400 |
commit | 0401846c339fbdfb9bd822d83b43e8a9f7d072a4 (patch) | |
tree | dd998733df9af656b960c97588d4e3ec84521236 /drivers/platform | |
parent | b486742a12a474a01d1acb1a5924af11d9b32b68 (diff) |
hp-wmi: fix use after free
[ 191.310008] WARNING: kmemcheck: Caught 32-bit read from freed memory (f0d25f14)
[ 191.310011] c056d2f088000000105fd2f00000000050415353040000000000000000000000
[ 191.310020] i i i i f f f f f f f f f f f f f f f f f f f f f f f f f f f f
[ 191.310027] ^
[ 191.310029]
[ 191.310032] Pid: 737, comm: modprobe Not tainted 3.0.0-rc5+ #268 Hewlett-Packard HP Compaq 6005 Pro SFF PC/3047h
[ 191.310036] EIP: 0060:[<f80b3104>] EFLAGS: 00010286 CPU: 0
[ 191.310039] EIP is at hp_wmi_perform_query+0x104/0x150 [hp_wmi]
[ 191.310041] EAX: f0d25601 EBX: f0d25f00 ECX: 000121cf EDX: 000121ce
[ 191.310043] ESI: f0d25f10 EDI: f0f97ea8 EBP: f0f97ec4 ESP: c173f34c
[ 191.310045] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
[ 191.310046] CR0: 8005003b CR2: f540c000 CR3: 30f30000 CR4: 000006d0
[ 191.310048] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
[ 191.310050] DR6: ffff4ff0 DR7: 00000400
[ 191.310051] [<f80b317b>] hp_wmi_dock_state+0x2b/0x40 [hp_wmi]
[ 191.310054] [<f80b6093>] hp_wmi_init+0x93/0x1a8 [hp_wmi]
[ 191.310057] [<c10011f0>] do_one_initcall+0x30/0x170
[ 191.310061] [<c107ab9f>] sys_init_module+0xef/0x1a60
[ 191.310064] [<c149f998>] sysenter_do_call+0x12/0x28
[ 191.310067] [<ffffffff>] 0xffffffff
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Matthew Garrett <mjg@redhat.com>
Diffstat (limited to 'drivers/platform')
-rw-r--r-- | drivers/platform/x86/hp-wmi.c | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/drivers/platform/x86/hp-wmi.c b/drivers/platform/x86/hp-wmi.c index f94017bcdd6e..e2faa3cbb792 100644 --- a/drivers/platform/x86/hp-wmi.c +++ b/drivers/platform/x86/hp-wmi.c | |||
@@ -207,6 +207,7 @@ static int hp_wmi_perform_query(int query, int write, void *buffer, | |||
207 | }; | 207 | }; |
208 | struct acpi_buffer input = { sizeof(struct bios_args), &args }; | 208 | struct acpi_buffer input = { sizeof(struct bios_args), &args }; |
209 | struct acpi_buffer output = { ACPI_ALLOCATE_BUFFER, NULL }; | 209 | struct acpi_buffer output = { ACPI_ALLOCATE_BUFFER, NULL }; |
210 | u32 rc; | ||
210 | 211 | ||
211 | if (WARN_ON(insize > sizeof(args.data))) | 212 | if (WARN_ON(insize > sizeof(args.data))) |
212 | return -EINVAL; | 213 | return -EINVAL; |
@@ -224,13 +225,13 @@ static int hp_wmi_perform_query(int query, int write, void *buffer, | |||
224 | } | 225 | } |
225 | 226 | ||
226 | bios_return = (struct bios_return *)obj->buffer.pointer; | 227 | bios_return = (struct bios_return *)obj->buffer.pointer; |
228 | rc = bios_return->return_code; | ||
227 | 229 | ||
228 | if (bios_return->return_code) { | 230 | if (rc) { |
229 | if (bios_return->return_code != HPWMI_RET_UNKNOWN_CMDTYPE) | 231 | if (rc != HPWMI_RET_UNKNOWN_CMDTYPE) |
230 | pr_warn("query 0x%x returned error 0x%x\n", | 232 | pr_warn("query 0x%x returned error 0x%x\n", query, rc); |
231 | query, bios_return->return_code); | ||
232 | kfree(obj); | 233 | kfree(obj); |
233 | return bios_return->return_code; | 234 | return rc; |
234 | } | 235 | } |
235 | 236 | ||
236 | if (!outsize) { | 237 | if (!outsize) { |