From: Axel Lin Date: Mon, 14 Nov 2011 22:31:29 +0000 (+0100) Subject: PM / devfreq: fix use after free in devfreq_remove_device X-Git-Tag: MMI-PSA29.97-13-9~17996^2~6 X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=9f3bdd4f937a75c4589a867dc1f8fefe09c1a618;p=GitHub%2FMotorolaMobilityLLC%2Fkernel-slsi.git PM / devfreq: fix use after free in devfreq_remove_device In devfreq_remove_device, calling _remove_devfreq will also free devfreq. Don't dereference devfreq->governor->no_central_polling after _remove_devfreq. Signed-off-by: Axel Lin Acked-by: MyungJoo Ham Signed-off-by: Rafael J. Wysocki --- diff --git a/drivers/devfreq/devfreq.c b/drivers/devfreq/devfreq.c index d0659253387a..59d24e9cb8c5 100644 --- a/drivers/devfreq/devfreq.c +++ b/drivers/devfreq/devfreq.c @@ -418,10 +418,14 @@ out: */ int devfreq_remove_device(struct devfreq *devfreq) { + bool central_polling; + if (!devfreq) return -EINVAL; - if (!devfreq->governor->no_central_polling) { + central_polling = !devfreq->governor->no_central_polling; + + if (central_polling) { mutex_lock(&devfreq_list_lock); while (wait_remove_device == devfreq) { mutex_unlock(&devfreq_list_lock); @@ -433,7 +437,7 @@ int devfreq_remove_device(struct devfreq *devfreq) mutex_lock(&devfreq->lock); _remove_devfreq(devfreq, false); /* it unlocks devfreq->lock */ - if (!devfreq->governor->no_central_polling) + if (central_polling) mutex_unlock(&devfreq_list_lock); return 0;