[PATCH] ISP1704 USB Charger: Fix use-after-free error inisp1704_charger_probe()
From: Jesper Juhl
Date: Sun Apr 22 2012 - 16:13:33 EST
In isp1704_charger_probe() at the 'fail0:' label we kfree(isp) and
then subsequently call isp1704_charger_set_power(isp, 0). That's a
problem since isp1704_charger_set_power() dereferences the pointer it
is passed as its first argument, which is 'isp', which we already
freed.
Fixed by simply swapping the order of the two calls so that we only
kfree() *after* the call to isp1704_charger_set_power().
Signed-off-by: Jesper Juhl <jj@xxxxxxxxxxxxx>
---
drivers/power/isp1704_charger.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/drivers/power/isp1704_charger.c b/drivers/power/isp1704_charger.c
index 39eb50f..8a610da 100644
--- a/drivers/power/isp1704_charger.c
+++ b/drivers/power/isp1704_charger.c
@@ -476,11 +476,9 @@ fail2:
fail1:
usb_put_transceiver(isp->phy);
fail0:
- kfree(isp);
-
dev_err(&pdev->dev, "failed to register isp1704 with error %d\n", ret);
-
isp1704_charger_set_power(isp, 0);
+ kfree(isp);
return ret;
}
--
1.7.10
--
Jesper Juhl <jj@xxxxxxxxxxxxx> http://www.chaosbits.net/
Don't top-post http://www.catb.org/jargon/html/T/top-post.html
Plain text mails only, please.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/