[LWN Logo]
Date:	Fri, 16 Mar 2001 22:17:30 -0800
From:	Seth Andrew Hallem <shallem@Stanford.EDU>
To:	linux-kernel@vger.kernel.org
Subject: Potential free/use-after-free bugs


I am another student of Dawson Engler's working on the meta-level
compilation project.  I have just finished processing the results of a
checker which looks for double frees and use-after-frees.  I think we have
found 12-14 bugs.  I also have some questions regarding skbs.  Our checker
found a lot of instances where the skb is freed, then its length field is
accessed.  I have included an example location below.  Is this a bug or
not?  It appears that the length field is not cleared as the skbs are
referenced counted and the state clearing leaves the length alone.  I am
unsure as to whether this is a bug, bad practice, or just fine, though.
Any help would be appreciated.  Thanks.

Seth Hallem

[BUG] Returns a freed pointer.  Probably bad but I'm not sure.
ERROR:FREE:430:438: WARN: Use-after-free of "ent"! set by 'kfree':430

Start --->
		goto out;
Error --->
	return ent;

[BUG] Potential double or more free.
ERROR:FREE:237:236: Use-after-free of 'private'! set by 'kfree':237

		/* My special items, the standard routines free my urbs */
		if (serial->port->private)
Error --->
Start --->

[BUG] Copy paste of above potential bug.
ERROR:FREE:278:277: Use-after-free of 'private'! set by 'kfree':278

ERROR:FREE:171:178: Use-after-free of 's'! set by 'kfree':171

Start --->
	if (r == low)
		sprintf (name_buf, "%s", name);
		sprintf (name_buf, "%s%d", name, (r - low) / SOUND_STEP);
	s->de = devfs_register (devfs_handle, name_buf,
				DEVFS_FL_NONE, SOUND_MAJOR, s->unit_minor,
Error --->
				S_IFCHR | mode, fops, NULL);
	return r;

[BUG] Might be okay, but probably not a good idea.  Seems to put scb on
the free list, then derefs it in the call to ips_send_cmd.  Okay if this
is not interruptible?
ERROR:FREE:2818:2839: WARN: Use-after-free of "scb"! set by
Start --->
         ips_freescb(ha, scb);
      case IPS_SUCCESS_IMM:
         if (scb->scsi_cmd) {

	... DELETED lines ...


Error --->
      ret = ips_send_cmd(ha, scb);

      if (ret == IPS_SUCCESS) {

[BUG] same as above.
ERROR:FREE:2827:2839: WARN: Use-after-free of "scb"! set by

[BUG] lapbeth_prev is dereferenced on the next iteration through the loop.
ERROR:FREE:113:116: WARN: Use-after-free of "lapbeth"! set by 'kfree':113

Start --->

Error --->
		lapbeth_prev = lapbeth;

[BUG] bpq is freed, assigned to another variable (bpq_prev), then
dereferenced on the next time through the loop.  Analogous to above case
with lapbeth_prev.
ERROR:FREE:193:196: WARN: Use-after-free of "bpq"! set by 'kfree':193

[BUG] Derefs dev on next iteration unless dev is set to NULL.
ERROR:FREE:1243:1233: Use-after-free of 'dev'! set by 'kfree':1243
Error --->
	while (dev) {
		struct netdev_private *np = (void *)(dev->priv);
#ifdef USE_IO_OPS
		release_mem_region(pci_resource_start(pdev, 1),
		iounmap((char *)(dev->base_addr));
Start --->

ERROR:FREE:1264:1265: Use-after-free of 'p'! set by 'kfree':1264

Start --->
Error --->
    return(p[0]);                /* return the number of posted buffers */

ERROR:FREE:318:319: Use-after-free of 'self'! set by 'kfree':318

Start --->
Error --->
		return -ENOMEM;

[BUG] The use of p is fine, but the derefs of p right after that probably
are not.  This is not as serious because it is in a print statement in an
error case.
ERROR:FREE:1035:1038: WARN: Use-after-free of "p"! set by 'kfree':1035

 free3:kfree (p->RIOPortp);
 free2:kfree (p->RIOHosts);
Start --->
 free1:kfree (p);
  rio_dprintk (RIO_DEBUG_INIT, "Not enough memory! %p %p %p %p %p\n", 
Error --->
               p, p->RIOHosts, p->RIOPortp, rio_termios, rio_termios);
  return -ENOMEM;

[BUG] See code following next error.
ERROR:FREE:664:668: Use-after-free of 'buff'! set by 'kfree':664

[BUG] Potential double free of c.
ERROR:FREE:663:667: WARN: Use-after-free of "c"! set by 'cmd_free':663

            cmd_free(NULL, c);
Start --->
		cmd_free(NULL, c);
Error --->
    if (buff != NULL)

[QUESTION] It appears that the len field is not cleared out by
dev_kfree_skb_any.  Is this true in general of the skb freeing functions?
It appears that the data field is also not cleared (except potentially by
the destructor function?).  Are there any other fields which are okay to 
Also is it always bad to double free an skb, or is there some idiomatic
way to determine the current reference count on the skb?  Thanks for the
ERROR:FREE:1321:1323: Use-after-free of 'skb'! set by

Start --->
#if LINUX_VERSION_CODE >= 0x20312
Error --->
             atm_return(vcc, atm_guess_pdu2truesize(skb->len));
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/