mirror of https://gitee.com/openkylin/linux.git
mfd: Correct use after free for t7l66xb
The structure t7l66xb should not be freed before the subsequent references to its fields in the arguments to clk_put. Furthermore, this structure is allocated near the beginning of the function, and a goto to the label err_noirq appears after a successful allocation, so it would seem that the kfree should be moved down below this label. A simplified version of the semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // <smpl> @@ expression x,e; identifier f; iterator I; statement S; @@ *kfree(x); ... when != &x when != x = e when != I(x,...) S *x->f // </smpl> Signed-off-by: Julia Lawall <julia@diku.dk>
This commit is contained in:
Julia Lawall
Samuel Ortiz
parent
1ecc09e765
commit
0e820ab601
|
|
@ -403,12 +403,12 @@ static int t7l66xb_probe(struct platform_device *dev)
|
||||||
err_ioremap:
|
err_ioremap:
|
||||||
release_resource(&t7l66xb->rscr);
|
release_resource(&t7l66xb->rscr);
|
||||||
err_request_scr:
|
err_request_scr:
|
||||||
kfree(t7l66xb);
|
|
||||||
clk_put(t7l66xb->clk48m);
|
clk_put(t7l66xb->clk48m);
|
||||||
err_clk48m_get:
|
err_clk48m_get:
|
||||||
clk_put(t7l66xb->clk32k);
|
clk_put(t7l66xb->clk32k);
|
||||||
err_clk32k_get:
|
err_clk32k_get:
|
||||||
err_noirq:
|
err_noirq:
|
||||||
|
kfree(t7l66xb);
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue