aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJulia Lawall <julia@diku.dk>2010-07-30 11:17:28 -0400
committerRussell King <rmk+kernel@arm.linux.org.uk>2010-07-30 18:19:30 -0400
commitf2d2420bbf4bb125ea5f2e1573d4da6b668fc78a (patch)
treeb6a074ce9a14e7fc1f99641bb3e47b83417f34eb
parent74bc80931c8bc34d24545f992a35349ad548897c (diff)
SA1111: Eliminate use after free
__sa1111_remove always frees its argument, so the subsequent reference to sachip->saved_state represents a use after free. __sa1111_remove does not appear to use the saved_state field, so the patch simply frees it first. A simplified version of the semantic patch that finds this problem is as follows: (http://coccinelle.lip6.fr/) // <smpl> @@ expression E,E2; @@ __sa1111_remove(E) ... ( E = E2 | * E ) // </smpl> Signed-off-by: Julia Lawall <julia@diku.dk> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
-rw-r--r--arch/arm/common/sa1111.c5
1 files changed, 2 insertions, 3 deletions
diff --git a/arch/arm/common/sa1111.c b/arch/arm/common/sa1111.c
index 6f80665f477e..9eaf65f43642 100644
--- a/arch/arm/common/sa1111.c
+++ b/arch/arm/common/sa1111.c
@@ -1028,13 +1028,12 @@ static int sa1111_remove(struct platform_device *pdev)
1028 struct sa1111 *sachip = platform_get_drvdata(pdev); 1028 struct sa1111 *sachip = platform_get_drvdata(pdev);
1029 1029
1030 if (sachip) { 1030 if (sachip) {
1031 __sa1111_remove(sachip);
1032 platform_set_drvdata(pdev, NULL);
1033
1034#ifdef CONFIG_PM 1031#ifdef CONFIG_PM
1035 kfree(sachip->saved_state); 1032 kfree(sachip->saved_state);
1036 sachip->saved_state = NULL; 1033 sachip->saved_state = NULL;
1037#endif 1034#endif
1035 __sa1111_remove(sachip);
1036 platform_set_drvdata(pdev, NULL);
1038 } 1037 }
1039 1038
1040 return 0; 1039 return 0;