[PATCH] mtd: Fix kernel NULL pointer dereference in physmap.c
H Hartley Sweeten
hartleys at visionengravers.com
Tue Oct 20 12:23:33 EDT 2009
During the probe for physmap platform flash devices there are a
number error exit conditions that all do a goto err_out which
then calls physmap_flash_remove(). In that function one of the
cleanup steps is:
#ifdef CONFIG_MTD_CONCAT
if (info->cmtd != info->mtd[0])
mtd_concat_destroy(info->cmtd);
#endif
This test will succeed since info->cmtd == NULL and info->mtd[0] is
valid, which then causes a NULL pointer dereference when mtd_concat_destroy()
is called. Fix this by moving the mtd_concat_destroy() step into the
if (info->cmtd) condition.
Also, move the kfree(info->parts) cleanup to remove an #ifdef.
Signed-off-by: H Hartley Sweeten <hsweeten at visionengravers.com>
Cc: David Woodhouse <dwmw2 at infradead.org>
Cc: Atsushi Nemoto <anemo at mba.ocn.ne.jp>
---
V2 - As pointed out by Atsushi Nemoto, the map_destroy loop should not
be skipped even when info->cmtd == NULL.
diff --git a/drivers/mtd/maps/physmap.c b/drivers/mtd/maps/physmap.c
index 380648e..3f13a96 100644
--- a/drivers/mtd/maps/physmap.c
+++ b/drivers/mtd/maps/physmap.c
@@ -48,23 +48,22 @@ static int physmap_flash_remove(struct platform_device *dev)
if (info->cmtd) {
#ifdef CONFIG_MTD_PARTITIONS
- if (info->nr_parts || physmap_data->nr_parts)
+ if (info->nr_parts || physmap_data->nr_parts) {
del_mtd_partitions(info->cmtd);
- else
+
+ if (info->nr_parts)
+ kfree(info->parts);
+ } else {
del_mtd_device(info->cmtd);
+ }
#else
del_mtd_device(info->cmtd);
#endif
- }
-#ifdef CONFIG_MTD_PARTITIONS
- if (info->nr_parts)
- kfree(info->parts);
-#endif
-
#ifdef CONFIG_MTD_CONCAT
- if (info->cmtd != info->mtd[0])
- mtd_concat_destroy(info->cmtd);
+ if (info->cmtd != info->mtd[0])
+ mtd_concat_destroy(info->cmtd);
#endif
+ }
for (i = 0; i < MAX_RESOURCES; i++) {
if (info->mtd[i] != NULL)
More information about the linux-mtd
mailing list