From: Julia Lawall Date: Tue, 22 Dec 2009 20:31:43 +0000 (+0100) Subject: mfd: Correct use after free for t7l66xb X-Git-Tag: firefly_0821_release~9833^2~2831^2~62 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=0e820ab60118e06db62ef4e55b6dd96db807a34e;p=firefly-linux-kernel-4.4.55.git mfd: Correct use after free for t7l66xb The structure t7l66xb should not be freed before the subsequent references to its fields in the arguments to clk_put. Furthermore, this structure is allocated near the beginning of the function, and a goto to the label err_noirq appears after a successful allocation, so it would seem that the kfree should be moved down below this label. A simplified version of the semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // @@ expression x,e; identifier f; iterator I; statement S; @@ *kfree(x); ... when != &x when != x = e when != I(x,...) S *x->f // Signed-off-by: Julia Lawall --- diff --git a/drivers/mfd/t7l66xb.c b/drivers/mfd/t7l66xb.c index e0bbddd7aac2..26d9176fca91 100644 --- a/drivers/mfd/t7l66xb.c +++ b/drivers/mfd/t7l66xb.c @@ -403,12 +403,12 @@ static int t7l66xb_probe(struct platform_device *dev) err_ioremap: release_resource(&t7l66xb->rscr); err_request_scr: - kfree(t7l66xb); clk_put(t7l66xb->clk48m); err_clk48m_get: clk_put(t7l66xb->clk32k); err_clk32k_get: err_noirq: + kfree(t7l66xb); return ret; }