From patchwork Tue Oct 20 16:23:33 2009 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: mtd: Fix kernel NULL pointer dereference in physmap.c Date: Tue, 20 Oct 2009 06:23:33 -0000 From: hartleys X-Patchwork-Id: 36477 Message-Id: To: Cc: Atsushi Nemoto , dwmw2@infradead.org During the probe for physmap platform flash devices there are a number error exit conditions that all do a goto err_out which then calls physmap_flash_remove(). In that function one of the cleanup steps is: #ifdef CONFIG_MTD_CONCAT if (info->cmtd != info->mtd[0]) mtd_concat_destroy(info->cmtd); #endif This test will succeed since info->cmtd == NULL and info->mtd[0] is valid, which then causes a NULL pointer dereference when mtd_concat_destroy() is called. Fix this by moving the mtd_concat_destroy() step into the if (info->cmtd) condition. Also, move the kfree(info->parts) cleanup to remove an #ifdef. Signed-off-by: H Hartley Sweeten Cc: David Woodhouse Cc: Atsushi Nemoto --- V2 - As pointed out by Atsushi Nemoto, the map_destroy loop should not be skipped even when info->cmtd == NULL. diff --git a/drivers/mtd/maps/physmap.c b/drivers/mtd/maps/physmap.c index 380648e..3f13a96 100644 --- a/drivers/mtd/maps/physmap.c +++ b/drivers/mtd/maps/physmap.c @@ -48,23 +48,22 @@ static int physmap_flash_remove(struct platform_device *dev) if (info->cmtd) { #ifdef CONFIG_MTD_PARTITIONS - if (info->nr_parts || physmap_data->nr_parts) + if (info->nr_parts || physmap_data->nr_parts) { del_mtd_partitions(info->cmtd); - else + + if (info->nr_parts) + kfree(info->parts); + } else { del_mtd_device(info->cmtd); + } #else del_mtd_device(info->cmtd); #endif - } -#ifdef CONFIG_MTD_PARTITIONS - if (info->nr_parts) - kfree(info->parts); -#endif - #ifdef CONFIG_MTD_CONCAT - if (info->cmtd != info->mtd[0]) - mtd_concat_destroy(info->cmtd); + if (info->cmtd != info->mtd[0]) + mtd_concat_destroy(info->cmtd); #endif + } for (i = 0; i < MAX_RESOURCES; i++) { if (info->mtd[i] != NULL)