[PATCH] mtd: Fix kernel NULL pointer dereference in physmap.c
H Hartley Sweeten
hartleys at visionengravers.com
Tue Oct 20 18:28:59 EDT 2009
On Tuesday, October 20, 2009 2:38 PM, David Woodhouse wrote:
> On Tue, 2009-10-20 at 12:23 -0400, H Hartley Sweeten wrote:
>> During the probe for physmap platform flash devices there are a
>> number error exit conditions that all do a goto err_out which
>> then calls physmap_flash_remove(). In that function one of the
>> cleanup steps is:
>>
>> #ifdef CONFIG_MTD_CONCAT
>> if (info->cmtd != info->mtd[0])
>> mtd_concat_destroy(info->cmtd);
>> #endif
>>
>> This test will succeed since info->cmtd == NULL and info->mtd[0] is
>> valid, which then causes a NULL pointer dereference when mtd_concat_destroy()
>> is called. Fix this by moving the mtd_concat_destroy() step into the
>> if (info->cmtd) condition.
>>
>> Also, move the kfree(info->parts) cleanup to remove an #ifdef.
>>
>> Signed-off-by: H Hartley Sweeten <hsweeten at visionengravers.com>
>> Cc: David Woodhouse <dwmw2 at infradead.org>
>> Cc: Atsushi Nemoto <anemo at mba.ocn.ne.jp>
>>
>> ---
>>
>> V2 - As pointed out by Atsushi Nemoto, the map_destroy loop should not
>> be skipped even when info->cmtd == NULL.
>
> Thanks.
>
> In an attempt to improve my responsiveness as maintainer, I'd already
> committed the first version. How does this look:
Very responsive indeed. ;-)
Sorry about introducing the bug. Your amended patch looks like it serves
the same purpose as my updated one. Thanks for fixing that.
Regards,
Hartley
More information about the linux-mtd
mailing list