From: Marek Vasut <marex@denx.de>
To: Jesper Juhl <jj@chaosbits.net>
Cc: linux-kernel@vger.kernel.org,
Felipe Contreras <felipe.contreras@gmail.com>,
Felipe Balbi <balbi@ti.com>,
Anton Vorontsov <anton.vorontsov@linaro.org>,
Heikki Krogerus <heikki.krogerus@linux.intel.com>,
Kalle Jokiniemi <kalle.jokiniemi@nokia.com>
Subject: Re: [PATCH] ISP1704 USB Charger: Fix use-after-free error in isp1704_charger_probe()
Date: Sun, 22 Apr 2012 22:34:59 +0200 [thread overview]
Message-ID: <201204222234.59624.marex@denx.de> (raw)
In-Reply-To: <alpine.LNX.2.00.1204222210290.27455@swampdragon.chaosbits.net>
Dear Jesper Juhl,
> In isp1704_charger_probe() at the 'fail0:' label we kfree(isp) and
> then subsequently call isp1704_charger_set_power(isp, 0). That's a
> problem since isp1704_charger_set_power() dereferences the pointer it
> is passed as its first argument, which is 'isp', which we already
> freed.
>
> Fixed by simply swapping the order of the two calls so that we only
> kfree() *after* the call to isp1704_charger_set_power().
>
> Signed-off-by: Jesper Juhl <jj@chaosbits.net>
> ---
> drivers/power/isp1704_charger.c | 4 +---
> 1 file changed, 1 insertion(+), 3 deletions(-)
>
> diff --git a/drivers/power/isp1704_charger.c
> b/drivers/power/isp1704_charger.c index 39eb50f..8a610da 100644
> --- a/drivers/power/isp1704_charger.c
> +++ b/drivers/power/isp1704_charger.c
> @@ -476,11 +476,9 @@ fail2:
> fail1:
> usb_put_transceiver(isp->phy);
> fail0:
> - kfree(isp);
> -
> dev_err(&pdev->dev, "failed to register isp1704 with error %d\n", ret);
> -
> isp1704_charger_set_power(isp, 0);
> + kfree(isp);
Use devm_kzalloc() and be done with all this goo?
> return ret;
> }
Best regards,
Marek Vasut
next prev parent reply other threads:[~2012-04-22 20:35 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-04-22 20:13 [PATCH] ISP1704 USB Charger: Fix use-after-free error in isp1704_charger_probe() Jesper Juhl
2012-04-22 20:34 ` Marek Vasut [this message]
2012-05-06 3:12 ` Anton Vorontsov
2012-05-06 13:18 ` Jesper Juhl
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201204222234.59624.marex@denx.de \
--to=marex@denx.de \
--cc=anton.vorontsov@linaro.org \
--cc=balbi@ti.com \
--cc=felipe.contreras@gmail.com \
--cc=heikki.krogerus@linux.intel.com \
--cc=jj@chaosbits.net \
--cc=kalle.jokiniemi@nokia.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.