From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Mon, 31 Jul 2017 16:45:41 +0000 (+0200)
Subject: video: fbdev: imxfb: use after free in imxfb_remove()
X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=5ae29649e03f58be0f412c21b62b203aa7cf1680;p=GitHub%2Fmoto-9609%2Fandroid_kernel_motorola_exynos9610.git

video: fbdev: imxfb: use after free in imxfb_remove()

We free "info" then dereference it on the next line.  Really this whole
function would be better if we wrote it to unwind in the mirror of how
things are allocated in the probe.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Alexander Shiyan <shc_work@mail.ru>
Cc: Sascha Hauer <kernel@pengutronix.de>
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
---

diff --git a/drivers/video/fbdev/imxfb.c b/drivers/video/fbdev/imxfb.c
index c166e0725be5..ba82f97fb42b 100644
--- a/drivers/video/fbdev/imxfb.c
+++ b/drivers/video/fbdev/imxfb.c
@@ -1073,20 +1073,16 @@ static int imxfb_remove(struct platform_device *pdev)
 	imxfb_disable_controller(fbi);
 
 	unregister_framebuffer(info);
-
+	fb_dealloc_cmap(&info->cmap);
 	pdata = dev_get_platdata(&pdev->dev);
 	if (pdata && pdata->exit)
 		pdata->exit(fbi->pdev);
-
-	fb_dealloc_cmap(&info->cmap);
-	kfree(info->pseudo_palette);
-	framebuffer_release(info);
-
 	dma_free_wc(&pdev->dev, fbi->map_size, info->screen_base,
 		    fbi->map_dma);
-
 	iounmap(fbi->regs);
 	release_mem_region(res->start, resource_size(res));
+	kfree(info->pseudo_palette);
+	framebuffer_release(info);
 
 	return 0;
 }