From: Julia Lawall Date: Fri, 2 Apr 2010 12:47:38 +0000 (+0200) Subject: mtd: maps: Eliminate use after free X-Git-Tag: v2.6.35-rc1~465^2~58 X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=258006d1abcf3f2990d3ebd77d75af335ff24d81;p=users%2Fhch%2Fmisc.git mtd: maps: Eliminate use after free Moved the debugging message before the call to map_destroy, which frees its argument. The message is also slightly changed to reflect its new position. A simplified version of the semantic patch that finds this problem is as follows: (http://coccinelle.lip6.fr/) // @@ expression E,E2; @@ del_mtd_device(E) ... ( E = E2 | * E ) // Signed-off-by: Julia Lawall Signed-off-by: Artem Bityutskiy Signed-off-by: David Woodhouse --- diff --git a/drivers/mtd/maps/pcmciamtd.c b/drivers/mtd/maps/pcmciamtd.c index 689d6a79ffc0..81159d708f86 100644 --- a/drivers/mtd/maps/pcmciamtd.c +++ b/drivers/mtd/maps/pcmciamtd.c @@ -692,8 +692,8 @@ static void pcmciamtd_detach(struct pcmcia_device *link) if(dev->mtd_info) { del_mtd_device(dev->mtd_info); + info("mtd%d: Removing", dev->mtd_info->index); map_destroy(dev->mtd_info); - info("mtd%d: Removed", dev->mtd_info->index); } pcmciamtd_release(link);