Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 6a88231f authored by Max Asbock's avatar Max Asbock Committed by Linus Torvalds
Browse files

[PATCH] ibmasm: use after free fix 



The kobject_put() can free the memory at *cmd, but cmd->lock points to a
persistent lock that is not freed with cmd.

Signed-off-by: default avatarMax Asbock <masbock@us.ibm.com>
Cc: Vernon Mauery <vernux@us.ibm.com>
Cc: Srihari Vijayaraghavan <sriharivijayaraghavan@yahoo.com.au>
Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
parent a6bf5270

drivers/misc/ibmasm/ibmasm.h

+5 −4
Original line number Diff line number Diff line
@@ -101,10 +101,11 @@ struct command { 
static inline void command_put(struct command *cmd)

{

	unsigned long flags;

	spinlock_t *lock = cmd->lock;



	spin_lock_irqsave(cmd->lock, flags);

	spin_lock_irqsave(lock, flags);

	kobject_put(&cmd->kobj);

	spin_unlock_irqrestore(cmd->lock, flags);

	spin_unlock_irqrestore(lock, flags);

}



static inline void command_get(struct command *cmd)