From: NeilBrown <neilb@suse.de>
To: Jarkko Nikula <jarkko.nikula@bitmer.com>
Cc: Peter Ujfalusi <peter.ujfalusi@ti.com>,
Janusz Krzysztofik <jkrzyszt@tis.icnet.pl>,
Tony Lindgren <tony@atomide.com>,
linux-omap@vger.kernel.org, lkml <linux-kernel@vger.kernel.org>
Subject: Commit 09d28d2c19 introduces set-after-free in arch/arm/mach-omap2/mcbsp.c
Date: Sun, 11 Dec 2011 17:08:13 +1100 [thread overview]
Message-ID: <20111211170813.02fd478a@notabene.brown> (raw)
[-- Attachment #1: Type: text/plain, Size: 2166 bytes --]
Hi,
commit 09d28d2c19fe5c2d51b3133329584166dec89f86
Author: Jarkko Nikula <jarkko.nikula@bitmer.com>
Date: Mon Sep 26 10:45:48 2011 +0300
ARM: OMAP: mcbsp: Start generalize omap2_mcbsp_set_clks_src
...
contains (when displayed with "-U10"):
diff --git a/arch/arm/mach-omap2/mcbsp.c b/arch/arm/mach-omap2/mcbsp.c
index 92bd5e2..3dd4c47 100644
--- a/arch/arm/mach-omap2/mcbsp.c
+++ b/arch/arm/mach-omap2/mcbsp.c
....
@@ -181,20 +173,21 @@ static int omap_init_mcbsp(struct omap_hwmod *oh, void *unused)
}
pdev = omap_device_build_ss(name, id, oh_device, count, pdata,
sizeof(*pdata), omap2_mcbsp_latency,
ARRAY_SIZE(omap2_mcbsp_latency), false);
kfree(pdata);
if (IS_ERR(pdev)) {
pr_err("%s: Can't build omap_device for %s:%s.\n", __func__,
name, oh->name);
return PTR_ERR(pdev);
}
+ pdata->set_clk_src = omap2_mcbsp_set_clk_src;
omap_mcbsp_count++;
return 0;
}
static int __init omap2_mcbsp_init(void)
{
omap_hwmod_for_each_by_class("mcbsp", omap_init_mcbsp, NULL);
mcbsp_ptr = kzalloc(omap_mcbsp_count * sizeof(struct omap_mcbsp *),
GFP_KERNEL);
which sets a field in pdata after it has been freed.
commit 7bc0c4bac72375517d904e02c46da2a23e079e8b
Author: Jarkko Nikula <jarkko.nikula@bitmer.com>
Date: Mon Sep 26 10:45:49 2011 +0300
then adds
@@ -181,6 +184,8 @@ static int omap_init_mcbsp(struct omap_hwmod *oh, void *unused)
return PTR_ERR(pdev);
}
pdata->set_clk_src = omap2_mcbsp_set_clk_src;
+ if (id == 1)
+ pdata->mux_signal = omap2_mcbsp1_mux_rx_clk;
omap_mcbsp_count++;
return 0;
}
which sets another field.
Should these settings just be moved up before the call to
omap_device_build_ss?? Doing that removes
[ 0.196014] Slab corruption: size-32 start=ded3edc0, len=32
warning.
Thanks,
NeilBrown
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 828 bytes --]
next reply other threads:[~2011-12-11 6:08 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-12-11 6:08 NeilBrown [this message]
2011-12-12 8:15 ` Commit 09d28d2c19 introduces set-after-free in arch/arm/mach-omap2/mcbsp.c Jarkko Nikula
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20111211170813.02fd478a@notabene.brown \
--to=neilb@suse.de \
--cc=jarkko.nikula@bitmer.com \
--cc=jkrzyszt@tis.icnet.pl \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-omap@vger.kernel.org \
--cc=peter.ujfalusi@ti.com \
--cc=tony@atomide.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox