mfd: Correct use after free for t7l66xb

The structure t7l66xb should not be freed before the subsequent references to its fields in the arguments to clk_put. Furthermore, this structure is allocated near the beginning of the function, and a goto to the label err_noirq appears after a successful allocation, so it would seem that the kfree should be moved down below this label. A simplified version of the semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // <smpl> @@ expression x,e; identifier f; iterator I; statement S; @@ *kfree(x); ... when != &x when != x = e when != I(x,...) S *x->f // </smpl> Signed-off-by: Julia Lawall <julia@diku.dk>
git-mirror · Mar 7, 2010 · 0e820ab · 0e820ab
1 parent 1ecc09e
commit 0e820ab
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/drivers/mfd/t7l66xb.c b/drivers/mfd/t7l66xb.c
@@ -403,12 +403,12 @@ static int t7l66xb_probe(struct platform_device *dev)
 err_ioremap:
 	release_resource(&t7l66xb->rscr);
 err_request_scr:
-	kfree(t7l66xb);
 	clk_put(t7l66xb->clk48m);
 err_clk48m_get:
 	clk_put(t7l66xb->clk32k);
 err_clk32k_get:
 err_noirq:
+	kfree(t7l66xb);
 	return ret;
 }