mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
synced 2025-01-11 16:29:05 +00:00
rtc/mc13783: fix use after free bug
This was introduced by v2.6.34-rc1~38:
4c014e8 (rtc/mc13783: protect rtc {,un}registration by mc13783 lock)
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Reported-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This commit is contained in:
Uwe Kleine-König
Linus Torvalds
parent
e7bbcdf374
commit
05731b9794
@ -319,35 +319,38 @@ static int __devinit mc13783_rtc_probe(struct platform_device *pdev)
|
|||||||
{
|
{
|
||||||
int ret;
|
int ret;
|
||||||
struct mc13783_rtc *priv;
|
struct mc13783_rtc *priv;
|
||||||
|
struct mc13783 *mc13783;
|
||||||
int rtcrst_pending;
|
int rtcrst_pending;
|
||||||
|
|
||||||
priv = kzalloc(sizeof(*priv), GFP_KERNEL);
|
priv = kzalloc(sizeof(*priv), GFP_KERNEL);
|
||||||
if (!priv)
|
if (!priv)
|
||||||
return -ENOMEM;
|
return -ENOMEM;
|
||||||
|
|
||||||
priv->mc13783 = dev_get_drvdata(pdev->dev.parent);
|
mc13783 = dev_get_drvdata(pdev->dev.parent);
|
||||||
|
priv->mc13783 = mc13783;
|
||||||
|
|
||||||
platform_set_drvdata(pdev, priv);
|
platform_set_drvdata(pdev, priv);
|
||||||
|
|
||||||
mc13783_lock(priv->mc13783);
|
mc13783_lock(mc13783);
|
||||||
|
|
||||||
ret = mc13783_irq_request(priv->mc13783, MC13783_IRQ_RTCRST,
|
ret = mc13783_irq_request(mc13783, MC13783_IRQ_RTCRST,
|
||||||
mc13783_rtc_reset_handler, DRIVER_NAME, priv);
|
mc13783_rtc_reset_handler, DRIVER_NAME, priv);
|
||||||
if (ret)
|
if (ret)
|
||||||
goto err_reset_irq_request;
|
goto err_reset_irq_request;
|
||||||
|
|
||||||
ret = mc13783_irq_status(priv->mc13783, MC13783_IRQ_RTCRST,
|
ret = mc13783_irq_status(mc13783, MC13783_IRQ_RTCRST,
|
||||||
NULL, &rtcrst_pending);
|
NULL, &rtcrst_pending);
|
||||||
if (ret)
|
if (ret)
|
||||||
goto err_reset_irq_status;
|
goto err_reset_irq_status;
|
||||||
|
|
||||||
priv->valid = !rtcrst_pending;
|
priv->valid = !rtcrst_pending;
|
||||||
|
|
||||||
ret = mc13783_irq_request_nounmask(priv->mc13783, MC13783_IRQ_1HZ,
|
ret = mc13783_irq_request_nounmask(mc13783, MC13783_IRQ_1HZ,
|
||||||
mc13783_rtc_update_handler, DRIVER_NAME, priv);
|
mc13783_rtc_update_handler, DRIVER_NAME, priv);
|
||||||
if (ret)
|
if (ret)
|
||||||
goto err_update_irq_request;
|
goto err_update_irq_request;
|
||||||
|
|
||||||
ret = mc13783_irq_request_nounmask(priv->mc13783, MC13783_IRQ_TODA,
|
ret = mc13783_irq_request_nounmask(mc13783, MC13783_IRQ_TODA,
|
||||||
mc13783_rtc_alarm_handler, DRIVER_NAME, priv);
|
mc13783_rtc_alarm_handler, DRIVER_NAME, priv);
|
||||||
if (ret)
|
if (ret)
|
||||||
goto err_alarm_irq_request;
|
goto err_alarm_irq_request;
|
||||||
@ -357,22 +360,22 @@ static int __devinit mc13783_rtc_probe(struct platform_device *pdev)
|
|||||||
if (IS_ERR(priv->rtc)) {
|
if (IS_ERR(priv->rtc)) {
|
||||||
ret = PTR_ERR(priv->rtc);
|
ret = PTR_ERR(priv->rtc);
|
||||||
|
|
||||||
mc13783_irq_free(priv->mc13783, MC13783_IRQ_TODA, priv);
|
mc13783_irq_free(mc13783, MC13783_IRQ_TODA, priv);
|
||||||
err_alarm_irq_request:
|
err_alarm_irq_request:
|
||||||
|
|
||||||
mc13783_irq_free(priv->mc13783, MC13783_IRQ_1HZ, priv);
|
mc13783_irq_free(mc13783, MC13783_IRQ_1HZ, priv);
|
||||||
err_update_irq_request:
|
err_update_irq_request:
|
||||||
|
|
||||||
err_reset_irq_status:
|
err_reset_irq_status:
|
||||||
|
|
||||||
mc13783_irq_free(priv->mc13783, MC13783_IRQ_RTCRST, priv);
|
mc13783_irq_free(mc13783, MC13783_IRQ_RTCRST, priv);
|
||||||
err_reset_irq_request:
|
err_reset_irq_request:
|
||||||
|
|
||||||
platform_set_drvdata(pdev, NULL);
|
platform_set_drvdata(pdev, NULL);
|
||||||
kfree(priv);
|
kfree(priv);
|
||||||
}
|
}
|
||||||
|
|
||||||
mc13783_unlock(priv->mc13783);
|
mc13783_unlock(mc13783);
|
||||||
|
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user