[PATCH] ibmasm: use after free fix

The kobject_put() can free the memory at *cmd, but cmd->lock points to a persistent lock that is not freed with cmd. Signed-off-by: Max Asbock <[email protected]> Cc: Vernon Mauery <[email protected]> Cc: Srihari Vijayaraghavan <[email protected]> Signed-off-by: Andrew Morton <[email protected]> Signed-off-by: Linus Torvalds <[email protected]>
cbmeeks · Mar 10, 2006 · 6a88231 · 6a88231
1 parent a6bf527
commit 6a88231
Showing 1 changed file with 5 additions and 4 deletions.
diff --git a/drivers/misc/ibmasm/ibmasm.h b/drivers/misc/ibmasm/ibmasm.h
@@ -101,15 +101,16 @@ struct command {
 static inline void command_put(struct command *cmd)
 {
 	unsigned long flags;
+	spinlock_t *lock = cmd->lock;
 
-	spin_lock_irqsave(cmd->lock, flags);
-        kobject_put(&cmd->kobj);
-	spin_unlock_irqrestore(cmd->lock, flags);
+	spin_lock_irqsave(lock, flags);
+	kobject_put(&cmd->kobj);
+	spin_unlock_irqrestore(lock, flags);
 }
 
 static inline void command_get(struct command *cmd)
 {
-        kobject_get(&cmd->kobj);
+	kobject_get(&cmd->kobj);
 }