[PATCH 1/2] devfreq: fix use after free in devfreq_remove_device
From: Axel Lin
Date: Thu Nov 10 2011 - 02:28:34 EST
In devfreq_remove_device, calling _remove_devfreq will also free devfreq.
Don't dereference devfreq->governor->no_central_polling after _remove_devfreq.
Signed-off-by: Axel Lin <axel.lin@xxxxxxxxx>
---
drivers/devfreq/devfreq.c | 8 ++++++--
1 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/devfreq/devfreq.c b/drivers/devfreq/devfreq.c
index d065925..59d24e9 100644
--- a/drivers/devfreq/devfreq.c
+++ b/drivers/devfreq/devfreq.c
@@ -418,10 +418,14 @@ out:
*/
int devfreq_remove_device(struct devfreq *devfreq)
{
+ bool central_polling;
+
if (!devfreq)
return -EINVAL;
- if (!devfreq->governor->no_central_polling) {
+ central_polling = !devfreq->governor->no_central_polling;
+
+ if (central_polling) {
mutex_lock(&devfreq_list_lock);
while (wait_remove_device == devfreq) {
mutex_unlock(&devfreq_list_lock);
@@ -433,7 +437,7 @@ int devfreq_remove_device(struct devfreq *devfreq)
mutex_lock(&devfreq->lock);
_remove_devfreq(devfreq, false); /* it unlocks devfreq->lock */
- if (!devfreq->governor->no_central_polling)
+ if (central_polling)
mutex_unlock(&devfreq_list_lock);
return 0;
--
1.7.5.4
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/