&mtd->partitions_entry is added to the parents partition list only when DEVFS_PARTITION_FIXED is not set, but later this check is not done when removing it from the list again. This results in NULL pointer derefs when a mtd partition is added with DEVFS_PARTITION_FIXED set and removed later. Do a INIT_LIST_HEAD() on &mtd->partitions_entry so we can safely call list_del() on it later without additional checks. This means we can remove the existing check as well. Signed-off-by: Sascha Hauer <s.hauer@xxxxxxxxxxxxxx> --- drivers/mtd/core.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/mtd/core.c b/drivers/mtd/core.c index ae6b0f9cd4..97a7996cf6 100644 --- a/drivers/mtd/core.c +++ b/drivers/mtd/core.c @@ -688,6 +688,7 @@ int add_mtd_device(struct mtd_info *mtd, const char *devname, int device_id) mtd->dev.id); INIT_LIST_HEAD(&mtd->partitions); + INIT_LIST_HEAD(&mtd->partitions_entry); mtd->cdev.priv = mtd; mtd->cdev.dev = &mtd->dev; @@ -763,8 +764,7 @@ int del_mtd_device(struct mtd_info *mtd) unregister_device(&mtd->dev); free(mtd->param_size.value); free(mtd->cdev.name); - if (mtd->parent) - list_del(&mtd->partitions_entry); + list_del(&mtd->partitions_entry); return 0; } -- 2.39.2
