Skip to content

Commit

Permalink
rtc/mc13783: fix use after free bug
Browse files Browse the repository at this point in the history
This was introduced by v2.6.34-rc1~38:

	4c014e8 (rtc/mc13783: protect rtc {,un}registration by mc13783 lock)

Signed-off-by: Uwe Kleine-König <[email protected]>
Reported-by: Dan Carpenter <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
  • Loading branch information
Uwe Kleine-König authored and torvalds committed Mar 24, 2010
1 parent e7bbcdf commit 05731b9
Showing 1 changed file with 13 additions and 10 deletions.
23 changes: 13 additions & 10 deletions drivers/rtc/rtc-mc13783.c
Original file line number Diff line number Diff line change
Expand Up @@ -319,35 +319,38 @@ static int __devinit mc13783_rtc_probe(struct platform_device *pdev)
{
int ret;
struct mc13783_rtc *priv;
struct mc13783 *mc13783;
int rtcrst_pending;

priv = kzalloc(sizeof(*priv), GFP_KERNEL);
if (!priv)
return -ENOMEM;

priv->mc13783 = dev_get_drvdata(pdev->dev.parent);
mc13783 = dev_get_drvdata(pdev->dev.parent);
priv->mc13783 = mc13783;

platform_set_drvdata(pdev, priv);

mc13783_lock(priv->mc13783);
mc13783_lock(mc13783);

ret = mc13783_irq_request(priv->mc13783, MC13783_IRQ_RTCRST,
ret = mc13783_irq_request(mc13783, MC13783_IRQ_RTCRST,
mc13783_rtc_reset_handler, DRIVER_NAME, priv);
if (ret)
goto err_reset_irq_request;

ret = mc13783_irq_status(priv->mc13783, MC13783_IRQ_RTCRST,
ret = mc13783_irq_status(mc13783, MC13783_IRQ_RTCRST,
NULL, &rtcrst_pending);
if (ret)
goto err_reset_irq_status;

priv->valid = !rtcrst_pending;

ret = mc13783_irq_request_nounmask(priv->mc13783, MC13783_IRQ_1HZ,
ret = mc13783_irq_request_nounmask(mc13783, MC13783_IRQ_1HZ,
mc13783_rtc_update_handler, DRIVER_NAME, priv);
if (ret)
goto err_update_irq_request;

ret = mc13783_irq_request_nounmask(priv->mc13783, MC13783_IRQ_TODA,
ret = mc13783_irq_request_nounmask(mc13783, MC13783_IRQ_TODA,
mc13783_rtc_alarm_handler, DRIVER_NAME, priv);
if (ret)
goto err_alarm_irq_request;
Expand All @@ -357,22 +360,22 @@ static int __devinit mc13783_rtc_probe(struct platform_device *pdev)
if (IS_ERR(priv->rtc)) {
ret = PTR_ERR(priv->rtc);

mc13783_irq_free(priv->mc13783, MC13783_IRQ_TODA, priv);
mc13783_irq_free(mc13783, MC13783_IRQ_TODA, priv);
err_alarm_irq_request:

mc13783_irq_free(priv->mc13783, MC13783_IRQ_1HZ, priv);
mc13783_irq_free(mc13783, MC13783_IRQ_1HZ, priv);
err_update_irq_request:

err_reset_irq_status:

mc13783_irq_free(priv->mc13783, MC13783_IRQ_RTCRST, priv);
mc13783_irq_free(mc13783, MC13783_IRQ_RTCRST, priv);
err_reset_irq_request:

platform_set_drvdata(pdev, NULL);
kfree(priv);
}

mc13783_unlock(priv->mc13783);
mc13783_unlock(mc13783);

return ret;
}
Expand Down

0 comments on commit 05731b9

Please sign in to comment.