[PATCH] mtd: fix use after free in register_mtd_blktrans
From: Marcin Slusarz
Date: Sat Mar 28 2009 - 13:44:55 EST
Dan Carpenter wrote:
> I added a check to smatch (http://repo.or.cz/w/smatch.git/) to check
> for when we dereference
> freed memory.
>
> (...)
> drivers/mtd/mtd_blkdevs.c +389 register_mtd_blktrans(49) '*tr->blkcore_priv'
> (...)
Fix:
---
From: Marcin Slusarz <marcin.slusarz@xxxxxxxxx>
Subject: [PATCH] mtd: fix use after free in register_mtd_blktrans
Reported-by: Dan Carpenter <error27@xxxxxxxxx>
Cc: Christoph Hellwig <hch@xxxxxx>
Cc: David Woodhouse <dwmw2@xxxxxxxxxxxxx>
Signed-off-by: Marcin Slusarz <marcin.slusarz@xxxxxxxxx>
---
drivers/mtd/mtd_blkdevs.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/drivers/mtd/mtd_blkdevs.c b/drivers/mtd/mtd_blkdevs.c
index 1409f01..4109e0b 100644
--- a/drivers/mtd/mtd_blkdevs.c
+++ b/drivers/mtd/mtd_blkdevs.c
@@ -382,11 +382,12 @@ int register_mtd_blktrans(struct mtd_blktrans_ops *tr)
tr->blkcore_priv->thread = kthread_run(mtd_blktrans_thread, tr,
"%sd", tr->name);
if (IS_ERR(tr->blkcore_priv->thread)) {
+ int ret = PTR_ERR(tr->blkcore_priv->thread);
blk_cleanup_queue(tr->blkcore_priv->rq);
unregister_blkdev(tr->major, tr->name);
kfree(tr->blkcore_priv);
mutex_unlock(&mtd_table_mutex);
- return PTR_ERR(tr->blkcore_priv->thread);
+ return ret;
}
INIT_LIST_HEAD(&tr->devs);
--
1.6.0.6
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/