[PATCH v2] video: fbdev: imxfb: use after free in imxfb

linux-fbdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH v2] video: fbdev: imxfb: use after free in imxfb_remove()
@ 2017-07-13  7:53 Dan Carpenter
  2017-07-31 16:34 ` Bartlomiej Zolnierkiewicz
  0 siblings, 1 reply; 2+ messages in thread
From: Dan Carpenter @ 2017-07-13  7:53 UTC (permalink / raw)
  To: linux-fbdev

We free "info" then dereference it on the next line.  Really this whole
function would be better if we wrote it to unwind in the mirror of how
things are allocated in the probe.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
v2: re-order the whole function

diff --git a/drivers/video/fbdev/imxfb.c b/drivers/video/fbdev/imxfb.c
index c166e0725be5..ba82f97fb42b 100644
--- a/drivers/video/fbdev/imxfb.c
+++ b/drivers/video/fbdev/imxfb.c
@@ -1073,20 +1073,16 @@ static int imxfb_remove(struct platform_device *pdev)
 	imxfb_disable_controller(fbi);
 
 	unregister_framebuffer(info);
-
+	fb_dealloc_cmap(&info->cmap);
 	pdata = dev_get_platdata(&pdev->dev);
 	if (pdata && pdata->exit)
 		pdata->exit(fbi->pdev);
-
-	fb_dealloc_cmap(&info->cmap);
-	kfree(info->pseudo_palette);
-	framebuffer_release(info);
-
 	dma_free_wc(&pdev->dev, fbi->map_size, info->screen_base,
 		    fbi->map_dma);
-
 	iounmap(fbi->regs);
 	release_mem_region(res->start, resource_size(res));
+	kfree(info->pseudo_palette);
+	framebuffer_release(info);
 
 	return 0;
 }

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH v2] video: fbdev: imxfb: use after free in imxfb_remove()
  2017-07-13  7:53 [PATCH v2] video: fbdev: imxfb: use after free in imxfb_remove() Dan Carpenter
@ 2017-07-31 16:34 ` Bartlomiej Zolnierkiewicz
  0 siblings, 0 replies; 2+ messages in thread
From: Bartlomiej Zolnierkiewicz @ 2017-07-31 16:34 UTC (permalink / raw)
  To: linux-fbdev

On Thursday, July 13, 2017 10:53:14 AM Dan Carpenter wrote:
> We free "info" then dereference it on the next line.  Really this whole
> function would be better if we wrote it to unwind in the mirror of how
> things are allocated in the probe.
> 
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

Patch queued for 4.13, thanks.

Best regards,
--
Bartlomiej Zolnierkiewicz
Samsung R&D Institute Poland
Samsung Electronics


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2017-07-31 16:34 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-07-13  7:53 [PATCH v2] video: fbdev: imxfb: use after free in imxfb_remove() Dan Carpenter
2017-07-31 16:34 ` Bartlomiej Zolnierkiewicz

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).