kconfig: delay symbol direct dependency initialization

This fixes the use-after-free and associated crash in kconfig introduced in commit 246cf9c26bf11f2bffbecea6e5bd222eee7b1df8. Signed-off-by: Arnaud Lacombe <lacombar@gmail.com> Acked-by: Catalin Marinas <catalin.marinas@arm.com> Signed-off-by: Michal Marek <mmarek@suse.cz>

kconfig: delay symbol direct dependency initialization
This fixes the use-after-free and associated crash in kconfig introduced in commit 246cf9c26bf11f2bffbecea6e5bd222eee7b1df8. Signed-off-by: Arnaud Lacombe <lacombar@gmail.com> Acked-by: Catalin Marinas <catalin.marinas@arm.com> Signed-off-by: Michal Marek <mmarek@suse.cz>
Arnaud Lacombe · Michal Marek
1 parent 8558f59edf
Showing 2 changed files with 2 additions and 6 deletions Side-by-side Diff
scripts/kconfig/expr.h
scripts/kconfig/menu.c
@@ -165,7 +165,6 @@
 	struct symbol *sym;
 	struct property *prompt;
 	struct expr *dep;
-	struct expr *dir_dep;
 	unsigned int flags;
 	char *help;
 	struct file *file;
@@ -107,7 +107,6 @@
 void menu_add_dep(struct expr *dep)
 {
 	current_entry->dep = expr_alloc_and(current_entry->dep, menu_check_dep(dep));
-	current_entry->dir_dep = current_entry->dep;
 }
  
 void menu_set_type(int type)
@@ -291,10 +290,6 @@
 		for (menu = parent->list; menu; menu = menu->next)
 			menu_finalize(menu);
 	} else if (sym) {
-		/* ignore inherited dependencies for dir_dep */
-		sym->dir_dep.expr = expr_transform(expr_copy(parent->dir_dep));
-		sym->dir_dep.expr = expr_eliminate_dups(sym->dir_dep.expr);
-
 		basedep = parent->prompt ? parent->prompt->visible.expr : NULL;
 		basedep = expr_trans_compare(basedep, E_UNEQUAL, &symbol_no);
 		basedep = expr_eliminate_dups(expr_transform(basedep));
@@ -325,6 +320,8 @@
 			parent->next = last_menu->next;
 			last_menu->next = NULL;
 		}
+
+		sym->dir_dep.expr = parent->dep;
 	}
 	for (menu = parent->list; menu; menu = menu->next) {
 		if (sym && sym_is_choice(sym) &&
...	...	@@ -165,7 +165,6 @@
165	165	struct symbol *sym;
166	166	struct property *prompt;
167	167	struct expr *dep;
168		- struct expr *dir_dep;
169	168	unsigned int flags;
170	169	char *help;
171	170	struct file *file;
...	...	@@ -107,7 +107,6 @@
107	107	void menu_add_dep(struct expr *dep)
108	108	{
109	109	current_entry->dep = expr_alloc_and(current_entry->dep, menu_check_dep(dep));
110		- current_entry->dir_dep = current_entry->dep;
111	110	}
112	111
113	112	void menu_set_type(int type)
...	...	@@ -291,10 +290,6 @@
291	290	for (menu = parent->list; menu; menu = menu->next)
292	291	menu_finalize(menu);
293	292	} else if (sym) {
294		- /* ignore inherited dependencies for dir_dep */
295		- sym->dir_dep.expr = expr_transform(expr_copy(parent->dir_dep));
296		- sym->dir_dep.expr = expr_eliminate_dups(sym->dir_dep.expr);
297		-
298	293	basedep = parent->prompt ? parent->prompt->visible.expr : NULL;
299	294	basedep = expr_trans_compare(basedep, E_UNEQUAL, &symbol_no);
300	295	basedep = expr_eliminate_dups(expr_transform(basedep));
...	...	@@ -325,6 +320,8 @@
325	320	parent->next = last_menu->next;
326	321	last_menu->next = NULL;
327	322	}
	323	+
	324	+ sym->dir_dep.expr = parent->dep;
328	325	}
329	326	for (menu = parent->list; menu; menu = menu->next) {
330	327	if (sym && sym_is_choice(sym) &&