From: Dan Carpenter Date: Fri, 8 Nov 2013 09:53:48 +0000 (+0300) Subject: serial: icom: dereference after free in load_code() X-Git-Tag: firefly_0821_release~176^2~4543^2^2~2 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=d6a62b3b7eb1a000718f8ecac0c31eaa1e1f1187;p=firefly-linux-kernel-4.4.55.git serial: icom: dereference after free in load_code() We use "fw" in the next line after we release it. I've shifted the call to release_firmware() down a couple lines to fix this. Signed-off-by: Dan Carpenter Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/tty/serial/icom.c b/drivers/tty/serial/icom.c index d98e43348970..67423805e6d9 100644 --- a/drivers/tty/serial/icom.c +++ b/drivers/tty/serial/icom.c @@ -455,11 +455,11 @@ static void load_code(struct icom_port *icom_port) for (index = 0; index < fw->size; index++) new_page[index] = fw->data[index]; - release_firmware(fw); - writeb((char) ((fw->size + 16)/16), &icom_port->dram->mac_length); writel(temp_pci, &icom_port->dram->mac_load_addr); + release_firmware(fw); + /*Setting the syncReg to 0x80 causes adapter to start downloading the personality code into adapter instruction RAM. Once code is loaded, it will begin executing and, based on