From patchwork Tue Mar 16 09:15:11 2010
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Uwe_Kleine-K=C3=B6nig?=
 <u.kleine-koenig@pengutronix.de>
X-Patchwork-Id: 47813
Return-Path: <3J0yfSwAACV4NP8-HEJQTCKKCHACNKQLO.8KI@groups.bounces.google.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from mail-gw0-f56.google.com (mail-gw0-f56.google.com
	[74.125.83.56]) by ozlabs.org (Postfix) with ESMTP id 2C904B7D82
	for <incoming@patchwork.ozlabs.org>;
	Tue, 16 Mar 2010 20:15:20 +1100 (EST)
Received: by gwj19 with SMTP id 19sf6196832gwj.11
	for <incoming@patchwork.ozlabs.org>;
	Tue, 16 Mar 2010 02:15:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=googlegroups.com; s=beta;
	h=domainkey-signature:received:x-beenthere:received:received:received
	:received:received-spf:received:received:from:to:cc:subject:date
	:message-id:x-mailer:in-reply-to:references:mime-version
	:x-sa-exim-connect-ip:x-sa-exim-mail-from:x-sa-exim-scanned
	:x-ptx-original-recipient:x-original-authentication-results
	:x-original-sender:reply-to:precedence:mailing-list:list-id
	:list-post:list-help:list-archive:x-thread-url:x-message-url:sender
	:list-subscribe:list-unsubscribe:content-type
	:content-transfer-encoding;
	bh=lauterLnNWgbCqG4ZxhcVuM65bd3gJfz2jsy8nyf8Us=;
	b=Betn0wHUBaLpUmCzXaX2g0Kfgg0d2b6q+zGY8RL1iuH2Fvn43E/VqImseTRehMM27b
	uwobWk3DgPaOTa2PLMG7tgSnRxeMFZ5KnN98HOxE6v159q1lGn17krtAHOzEMb6fUwUp
	2Q3vSdDWoB+y0p4ItkjlICwhrsoQXJJrcEzRg=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlegroups.com; s=beta;
	h=x-beenthere:received-spf:from:to:cc:subject:date:message-id
	:x-mailer:in-reply-to:references:mime-version:x-sa-exim-connect-ip
	:x-sa-exim-mail-from:x-sa-exim-scanned:x-ptx-original-recipient
	:x-original-authentication-results:x-original-sender:reply-to
	:precedence:mailing-list:list-id:list-post:list-help:list-archive
	:x-thread-url:x-message-url:sender:list-subscribe:list-unsubscribe
	:content-type:content-transfer-encoding;
	b=NYBjhgjYlEg2+kMsI+UFfksrsDX74uzSyj3oR0CCg2LZlh+Ay7CVMgtJGUxkTaKFSs
	R1pBETrIvpN266HUKoKAfvwfRq2XArNYiNAQuHLIBx5WiwQ4HyjHk0i13Z9tkjOxre0J
	rI/2REbaTce6t29HFGlOOYnpb0/nbwQAhMUcI=
Received: by 10.150.166.15 with SMTP id o15mr30238ybe.11.1268730919142;
	Tue, 16 Mar 2010 02:15:19 -0700 (PDT)
X-BeenThere: rtc-linux@googlegroups.com
Received: by 10.87.29.3 with SMTP id g3ls1247860fgj.2.p; Tue, 16 Mar 2010
	02:15:15 -0700 (PDT)
Received: by 10.87.40.5 with SMTP id s5mr531315fgj.6.1268730915139;
	Tue, 16 Mar 2010 02:15:15 -0700 (PDT)
Received: by 10.87.40.5 with SMTP id s5mr531314fgj.6.1268730915117;
	Tue, 16 Mar 2010 02:15:15 -0700 (PDT)
Received: from metis.ext.pengutronix.de (metis.ext.pengutronix.de
	[92.198.50.35]) by gmr-mx.google.com with ESMTP id
	17si633246fxm.3.2010.03.16.02.15.15;
	Tue, 16 Mar 2010 02:15:15 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of
	ukl@pengutronix.de designates 92.198.50.35 as permitted
	sender) client-ip=92.198.50.35;
Received: from octopus.hi.pengutronix.de
	([2001:6f8:1178:2:215:17ff:fe12:23b0])
	by metis.ext.pengutronix.de with esmtp (Exim 4.71)
	(envelope-from <ukl@pengutronix.de>)
	id 1NrSrq-0003md-Ql; Tue, 16 Mar 2010 10:15:14 +0100
Received: from ukl by octopus.hi.pengutronix.de with local (Exim 4.69)
	(envelope-from <ukl@pengutronix.de>)
	id 1NrSrp-0006aV-RS; Tue, 16 Mar 2010 10:15:13 +0100
From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= <u.kleine-koenig@pengutronix.de>
To: linux-kernel@vger.kernel.org
Cc: rtc-linux@googlegroups.com,
	Andrew Morton <akpm@linux-foundation.org>
Subject: [rtc-linux] [PATCH] rtc/mc13783: fix use after free bug
Date: Tue, 16 Mar 2010 10:15:11 +0100
Message-Id: <1268730911-25296-1-git-send-email-u.kleine-koenig@pengutronix.de>
X-Mailer: git-send-email 1.7.0
In-Reply-To: <20100307141459.GE6469@bicker>
References: <20100307141459.GE6469@bicker>
MIME-Version: 1.0
X-SA-Exim-Connect-IP: 2001:6f8:1178:2:215:17ff:fe12:23b0
X-SA-Exim-Mail-From: ukl@pengutronix.de
X-SA-Exim-Scanned: No (on metis.ext.pengutronix.de);
	SAEximRunCond expanded to false
X-PTX-Original-Recipient: rtc-linux@googlegroups.com
X-Original-Authentication-Results: gmr-mx.google.com; spf=pass (google.com:
	best guess record for domain of
	ukl@pengutronix.de designates 92.198.50.35 as
	permitted sender) smtp.mail=ukl@pengutronix.de
X-Original-Sender: u.kleine-koenig@pengutronix.de
Reply-To: rtc-linux@googlegroups.com
Precedence: list
Mailing-list: list rtc-linux@googlegroups.com;
	contact rtc-linux+owners@googlegroups.com
List-ID: <rtc-linux.googlegroups.com>
List-Post: <http://groups.google.com/group/rtc-linux/post?hl=en_US>,
	<mailto:rtc-linux@googlegroups.com>
List-Help: <http://groups.google.com/support/?hl=en_US>,
	<mailto:rtc-linux+help@googlegroups.com>
List-Archive: <http://groups.google.com/group/rtc-linux?hl=en_US>
X-Thread-Url: http://groups.google.com/group/rtc-linux/t/658da6c8ded424d5
X-Message-Url: http://groups.google.com/group/rtc-linux/msg/512168039a6d3cbb
Sender: rtc-linux@googlegroups.com
List-Subscribe: <http://groups.google.com/group/rtc-linux/subscribe?hl=en_US>,
	<mailto:rtc-linux+subscribe@googlegroups.com>
List-Unsubscribe: 
 <http://groups.google.com/group/rtc-linux/subscribe?hl=en_US>,
	<mailto:rtc-linux+unsubscribe@googlegroups.com>

This was introduced by v2.6.34-rc1~38:

	4c014e8 (rtc/mc13783: protect rtc {,un}registration by mc13783 lock)

Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Reported-by: Dan Carpenter <error27@gmail.com>
---
 drivers/rtc/rtc-mc13783.c |   23 +++++++++++++----------
 1 files changed, 13 insertions(+), 10 deletions(-)

diff --git a/drivers/rtc/rtc-mc13783.c b/drivers/rtc/rtc-mc13783.c
index d60c81b..1379c7f 100644
--- a/drivers/rtc/rtc-mc13783.c
+++ b/drivers/rtc/rtc-mc13783.c
@@ -319,35 +319,38 @@ static int __devinit mc13783_rtc_probe(struct platform_device *pdev)
 {
 	int ret;
 	struct mc13783_rtc *priv;
+	struct mc13783 *mc13783;
 	int rtcrst_pending;
 
 	priv = kzalloc(sizeof(*priv), GFP_KERNEL);
 	if (!priv)
 		return -ENOMEM;
 
-	priv->mc13783 = dev_get_drvdata(pdev->dev.parent);
+	mc13783 = dev_get_drvdata(pdev->dev.parent);
+	priv->mc13783 = mc13783;
+
 	platform_set_drvdata(pdev, priv);
 
-	mc13783_lock(priv->mc13783);
+	mc13783_lock(mc13783);
 
-	ret = mc13783_irq_request(priv->mc13783, MC13783_IRQ_RTCRST,
+	ret = mc13783_irq_request(mc13783, MC13783_IRQ_RTCRST,
 			mc13783_rtc_reset_handler, DRIVER_NAME, priv);
 	if (ret)
 		goto err_reset_irq_request;
 
-	ret = mc13783_irq_status(priv->mc13783, MC13783_IRQ_RTCRST,
+	ret = mc13783_irq_status(mc13783, MC13783_IRQ_RTCRST,
 			NULL, &rtcrst_pending);
 	if (ret)
 		goto err_reset_irq_status;
 
 	priv->valid = !rtcrst_pending;
 
-	ret = mc13783_irq_request_nounmask(priv->mc13783, MC13783_IRQ_1HZ,
+	ret = mc13783_irq_request_nounmask(mc13783, MC13783_IRQ_1HZ,
 			mc13783_rtc_update_handler, DRIVER_NAME, priv);
 	if (ret)
 		goto err_update_irq_request;
 
-	ret = mc13783_irq_request_nounmask(priv->mc13783, MC13783_IRQ_TODA,
+	ret = mc13783_irq_request_nounmask(mc13783, MC13783_IRQ_TODA,
 			mc13783_rtc_alarm_handler, DRIVER_NAME, priv);
 	if (ret)
 		goto err_alarm_irq_request;
@@ -357,22 +360,22 @@ static int __devinit mc13783_rtc_probe(struct platform_device *pdev)
 	if (IS_ERR(priv->rtc)) {
 		ret = PTR_ERR(priv->rtc);
 
-		mc13783_irq_free(priv->mc13783, MC13783_IRQ_TODA, priv);
+		mc13783_irq_free(mc13783, MC13783_IRQ_TODA, priv);
 err_alarm_irq_request:
 
-		mc13783_irq_free(priv->mc13783, MC13783_IRQ_1HZ, priv);
+		mc13783_irq_free(mc13783, MC13783_IRQ_1HZ, priv);
 err_update_irq_request:
 
 err_reset_irq_status:
 
-		mc13783_irq_free(priv->mc13783, MC13783_IRQ_RTCRST, priv);
+		mc13783_irq_free(mc13783, MC13783_IRQ_RTCRST, priv);
 err_reset_irq_request:
 
 		platform_set_drvdata(pdev, NULL);
 		kfree(priv);
 	}
 
-	mc13783_unlock(priv->mc13783);
+	mc13783_unlock(mc13783);
 
 	return ret;
 }