The patch titled
rtc/mc13783: fix use after free bug
has been added to the -mm tree. Its filename is
rtc-mc13783-fix-use-after-free-bug.patch
Before you just go and hit "reply", please:
a) Consider who else should be cc'ed
b) Prefer to cc a suitable mailing list as well
c) Ideally: find the original patch on the mailing list and do a
reply-to-all to that, adding suitable additional cc's
*** Remember to use Documentation/SubmitChecklist when testing your code ***
See http://userweb.kernel.org/~akpm/stuff/added-to-mm.txt to find
out what to do about this
The current -mm tree may be found at http://userweb.kernel.org/~akpm/mmotm/
------------------------------------------------------
Subject: rtc/mc13783: fix use after free bug
From: Uwe Kleine-König <u.kleine-koenig@xxxxxxxxxxxxxx>
This was introduced by v2.6.34-rc1~38:
4c014e8 (rtc/mc13783: protect rtc {,un}registration by mc13783 lock)
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@xxxxxxxxxxxxxx>
Reported-by: Dan Carpenter <error27@xxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---
drivers/rtc/rtc-mc13783.c | 23 +++++++++++++----------
1 file changed, 13 insertions(+), 10 deletions(-)
diff -puN drivers/rtc/rtc-mc13783.c~rtc-mc13783-fix-use-after-free-bug drivers/rtc/rtc-mc13783.c
--- a/drivers/rtc/rtc-mc13783.c~rtc-mc13783-fix-use-after-free-bug
+++ a/drivers/rtc/rtc-mc13783.c
@@ -319,35 +319,38 @@ static int __devinit mc13783_rtc_probe(s
{
int ret;
struct mc13783_rtc *priv;
+ struct mc13783 *mc13783;
int rtcrst_pending;
priv = kzalloc(sizeof(*priv), GFP_KERNEL);
if (!priv)
return -ENOMEM;
- priv->mc13783 = dev_get_drvdata(pdev->dev.parent);
+ mc13783 = dev_get_drvdata(pdev->dev.parent);
+ priv->mc13783 = mc13783;
+
platform_set_drvdata(pdev, priv);
- mc13783_lock(priv->mc13783);
+ mc13783_lock(mc13783);
- ret = mc13783_irq_request(priv->mc13783, MC13783_IRQ_RTCRST,
+ ret = mc13783_irq_request(mc13783, MC13783_IRQ_RTCRST,
mc13783_rtc_reset_handler, DRIVER_NAME, priv);
if (ret)
goto err_reset_irq_request;
- ret = mc13783_irq_status(priv->mc13783, MC13783_IRQ_RTCRST,
+ ret = mc13783_irq_status(mc13783, MC13783_IRQ_RTCRST,
NULL, &rtcrst_pending);
if (ret)
goto err_reset_irq_status;
priv->valid = !rtcrst_pending;
- ret = mc13783_irq_request_nounmask(priv->mc13783, MC13783_IRQ_1HZ,
+ ret = mc13783_irq_request_nounmask(mc13783, MC13783_IRQ_1HZ,
mc13783_rtc_update_handler, DRIVER_NAME, priv);
if (ret)
goto err_update_irq_request;
- ret = mc13783_irq_request_nounmask(priv->mc13783, MC13783_IRQ_TODA,
+ ret = mc13783_irq_request_nounmask(mc13783, MC13783_IRQ_TODA,
mc13783_rtc_alarm_handler, DRIVER_NAME, priv);
if (ret)
goto err_alarm_irq_request;
@@ -357,22 +360,22 @@ static int __devinit mc13783_rtc_probe(s
if (IS_ERR(priv->rtc)) {
ret = PTR_ERR(priv->rtc);
- mc13783_irq_free(priv->mc13783, MC13783_IRQ_TODA, priv);
+ mc13783_irq_free(mc13783, MC13783_IRQ_TODA, priv);
err_alarm_irq_request:
- mc13783_irq_free(priv->mc13783, MC13783_IRQ_1HZ, priv);
+ mc13783_irq_free(mc13783, MC13783_IRQ_1HZ, priv);
err_update_irq_request:
err_reset_irq_status:
- mc13783_irq_free(priv->mc13783, MC13783_IRQ_RTCRST, priv);
+ mc13783_irq_free(mc13783, MC13783_IRQ_RTCRST, priv);
err_reset_irq_request:
platform_set_drvdata(pdev, NULL);
kfree(priv);
}
- mc13783_unlock(priv->mc13783);
+ mc13783_unlock(mc13783);
return ret;
}
_
Patches currently in -mm which might be from u.kleine-koenig@xxxxxxxxxxxxxx are
origin.patch
rtc-mc13783-fix-use-after-free-bug.patch
linux-next.patch
hrtimer-correct-a-few-numbers-in-comments.patch
clockevents-ensure-taht-min_delta_ns-is-increased-in-error-path.patch
timer-print-function-name-for-timer-callbacks-modifying-preemption-count.patch
--
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
