regulator core: fix double-free in regulator_register() error path

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

From: Linux Kernel Mailing List

Subject: regulator core: fix double-free in regulator_register() error path

Date: Tuesday, April 28, 2009 - 4:59 pm

Gitweb:     http://git.kernel.org/linus/53032dafc6b93ac178ca2340ff8eb4ee2b3d1a92
Commit:     53032dafc6b93ac178ca2340ff8eb4ee2b3d1a92
Parent:     cd78dfc6c6e321a310a73ef7b0df3d262704dd55
Author:     Paul Walmsley <paul@pwsan.com>
AuthorDate: Sat Apr 25 05:28:36 2009 -0600
Committer:  Liam Girdwood <lrg@slimlogic.co.uk>
CommitDate: Tue Apr 28 18:58:07 2009 +0100

    regulator core: fix double-free in regulator_register() error path
    
    During regulator registration, any error after device_register() will
    cause a double-free on the struct regulator_dev 'rdev'.  The bug is in
    drivers/regulator/core.c:regulator_register():
    
    ...
    scrub:
    	device_unregister(&rdev->dev);
    clean:
    	kfree(rdev);                           <---
    	rdev = ERR_PTR(ret);
    	goto out;
    ...
    
    device_unregister() calls regulator_dev_release() which frees rdev.  The
    subsequent kfree corrupts memory and causes some OMAP3 systems to oops on
    boot in regulator_get().
    
    Applies against 2.6.30-rc3.
    
    Signed-off-by: Paul Walmsley <paul@pwsan.com>
    Acked-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
    Signed-off-by: Liam Girdwood <lrg@slimlogic.co.uk>
---
 drivers/regulator/core.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c
index cb62be6..2f14c16 100644
--- a/drivers/regulator/core.c
+++ b/drivers/regulator/core.c
@@ -2080,6 +2080,10 @@ out:
 
 scrub:
 	device_unregister(&rdev->dev);
+	/* device core frees rdev */
+	rdev = ERR_PTR(ret);
+	goto out;
+
 clean:
 	kfree(rdev);
 	rdev = ERR_PTR(ret);
--
To unsubscribe from this list: send the line "unsubscribe git-commits-head" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

regulator core: fix double-free in regulator_register() er ..., Linux Kernel Mailing ..., (Tue Apr 28, 4:59 pm)


linux-kernel:
Greg KH	Og dreams of kernels
Jens Axboe	[PATCH 31/33] Fusion: sg chaining support
Arnd Bergmann	Re: finding your own dead "CONFIG_" variables
Mark Brown	[PATCH 2/2] Subject: natsemi: Allow users to disable workaround for DspCfg reset
Tony Breeds	[LGUEST] Look in object dir for .config
git:
Brian Downing	Re: Git in a Nutshell guide
John Benes	Re: master has some toys
Matthias Lederhofer	[PATCH 4/7] introduce GIT_WORK_TREE to specify the work tree
Alexander Sulfrian	[RFC/PATCH] RE: git calls SSH_ASKPASS even if DISPLAY is not set
Junio C Hamano	Re: Rss produced by git is not valid xml?
git-commits-head:
Linux Kernel Mailing List	iSeries: fix section mismatch in iseries_veth
Linux Kernel Mailing List	ixbge: remove TX lock and redo TX accounting.
Linux Kernel Mailing List	ixgbe: fix several counter register errata
Linux Kernel Mailing List	b43: fix build with CONFIG_SSB_PCIHOST=n
Linux Kernel Mailing List	9p: block-based virtio client
linux-netdev:
Michael Breuer	Re: [PATCH] af_packet: Don't use skb after dev_queue_xmit()