Hi,
On 07/31/2012 12:09 PM, Julia Lawall wrote:
> From: Julia Lawall <Julia.Lawall@xxxxxxx>
> @@ -720,20 +698,14 @@ error_ret:
> static int __devexit at91_adc_remove(struct platform_device *pdev)
> {
> struct iio_dev *idev = platform_get_drvdata(pdev);
> - struct resource *res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
> struct at91_adc_state *st = iio_priv(idev);
>
> iio_device_unregister(idev);
> [...]
> - free_irq(st->irq, idev);
> [...]
> iio_device_free(idev);
I think we have to be careful here. The interrupted is now freed after the
device has been freed, which means that it could trigger after the device
has been freed. And since we use the device in the interrupt handler we'll
get a use after free.
- Lars
--
To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
