From patchwork Fri Mar 6 01:43:18 2009 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Atsushi Nemoto X-Patchwork-Id: 24135 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from bombadil.infradead.org (bombadil.infradead.org [18.85.46.34]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by ozlabs.org (Postfix) with ESMTPS id 0BF70DDF01 for ; Fri, 6 Mar 2009 12:46:22 +1100 (EST) Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.69 #1 (Red Hat Linux)) id 1LfP7H-0001CN-Gx; Fri, 06 Mar 2009 01:44:47 +0000 Received: from [202.230.225.126] (helo=topsms.toshiba-tops.co.jp) by bombadil.infradead.org with esmtp (Exim 4.69 #1 (Red Hat Linux)) id 1LfP5u-0001C6-48 for linux-mtd@lists.infradead.org; Fri, 06 Mar 2009 01:43:24 +0000 Received: from topsms.toshiba-tops.co.jp (localhost.localdomain [127.0.0.1]) by localhost.toshiba-tops.co.jp (Postfix) with ESMTP id E855044906; Fri, 6 Mar 2009 10:37:15 +0900 (JST) Received: from srd2sd.toshiba-tops.co.jp (srd2sd.toshiba-tops.co.jp [172.17.28.2]) by topsms.toshiba-tops.co.jp (Postfix) with ESMTP id DD866448F3; Fri, 6 Mar 2009 10:37:15 +0900 (JST) Received: from localhost (fragile [172.17.28.65]) by srd2sd.toshiba-tops.co.jp (8.12.10/8.12.10) with ESMTP id n261hInf081182; Fri, 6 Mar 2009 10:43:18 +0900 (JST) (envelope-from anemo@mba.ocn.ne.jp) Date: Fri, 06 Mar 2009 10:43:18 +0900 (JST) Message-Id: <20090306.104318.233533541.nemoto@toshiba-tops.co.jp> To: dwmw2@infradead.org Subject: [PATCH] mtd: physmap: Fix NULL pointer dereference in error path From: Atsushi Nemoto X-Fingerprint: 6ACA 1623 39BD 9A94 9B1A B746 CA77 FE94 2874 D52F X-Pgp-Public-Key: http://wwwkeys.pgp.net/pks/lookup?op=get&search=0x2874D52F X-Mailer: Mew version 6.1 on Emacs 22.2 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 X-Spam-Score: 0.1 (/) X-Spam-Report: SpamAssassin version 3.2.5 on bombadil.infradead.org summary: Content analysis details: (0.1 points) pts rule name description ---- ---------------------- -------------------------------------------------- 0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS Cc: akpm@linux-foundation.org, linux-mtd@lists.infradead.org, linux-kernel@vger.kernel.org, philipp.zabel@gmail.com, matthias@kaehlcke.net X-BeenThere: linux-mtd@lists.infradead.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Linux MTD discussion mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-mtd-bounces@lists.infradead.org Errors-To: linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org commit e480814f138cd5d78a8efe397756ba6b6518fdb6 ("[MTD] [MAPS] physmap: fix wrong free and del_mtd_{partition,device}") introduces a NULL pointer dereference in physmap_flash_remove when called from the error path in physmap_flash_probe (if map_probe failed). Call del_mtd_{partition,device} only if info->cmtd was not NULL. Reported-by: pHilipp Zabel Signed-off-by: Atsushi Nemoto --- drivers/mtd/maps/physmap.c | 19 +++++++++++-------- 1 files changed, 11 insertions(+), 8 deletions(-) diff --git a/drivers/mtd/maps/physmap.c b/drivers/mtd/maps/physmap.c index 4b122e7..2297182 100644 --- a/drivers/mtd/maps/physmap.c +++ b/drivers/mtd/maps/physmap.c @@ -46,16 +46,19 @@ static int physmap_flash_remove(struct platform_device *dev) physmap_data = dev->dev.platform_data; + if (info->cmtd) { #ifdef CONFIG_MTD_PARTITIONS - if (info->nr_parts) { - del_mtd_partitions(info->cmtd); - kfree(info->parts); - } else if (physmap_data->nr_parts) - del_mtd_partitions(info->cmtd); - else - del_mtd_device(info->cmtd); + if (info->nr_parts || physmap_data->nr_parts) + del_mtd_partitions(info->cmtd); + else + del_mtd_device(info->cmtd); #else - del_mtd_device(info->cmtd); + del_mtd_device(info->cmtd); +#endif + } +#ifdef CONFIG_MTD_PARTITIONS + if (info->nr_parts) + kfree(info->parts); #endif #ifdef CONFIG_MTD_CONCAT