From patchwork Thu May 13 09:59:58 2010
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Dominik Brodowski <linux@dominikbrodowski.net>
X-Patchwork-Id: 52464
Return-Path: 
 <linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from bombadil.infradead.org (bombadil.infradead.org [18.85.46.34])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client did not present a certificate)
	by ozlabs.org (Postfix) with ESMTPS id B75F0B7E14
	for <incoming@patchwork.ozlabs.org>;
	Thu, 13 May 2010 20:01:53 +1000 (EST)
Received: from localhost ([::1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.69 #1 (Red Hat Linux))
	id 1OCVDW-0003w4-Ia; Thu, 13 May 2010 10:00:34 +0000
Received: from isilmar-3.linta.de ([188.40.101.200] helo=linta.de)
	by bombadil.infradead.org with esmtps (Exim 4.69 #1 (Red Hat Linux))
	id 1OCVDN-0003rW-By
	for linux-mtd@lists.infradead.org; Thu, 13 May 2010 10:00:31 +0000
Received: (qmail 7123 invoked from network); 13 May 2010 10:00:15 -0000
Received: from p54a072f8.dip.t-dialin.net (HELO comet.dominikbrodowski.net)
	(brodo@84.160.114.248)
	by isilmar-3.linta.de with (DHE-RSA-AES256-SHA encrypted) SMTP;
	13 May 2010 10:00:15 -0000
Received: by comet.dominikbrodowski.net (Postfix, from userid 1000)
	id 1865F80097; Thu, 13 May 2010 12:00:04 +0200 (CEST)
From: Dominik Brodowski <linux@dominikbrodowski.net>
To: <linux-pcmcia@lists.infradead.org>,
	<linux-mtd@lists.infradead.org>
Subject: [PATCH 1/4] drivers/mtd/maps: Eliminate use after free
Date: Thu, 13 May 2010 11:59:58 +0200
Message-Id: <1273744801-26318-1-git-send-email-linux@dominikbrodowski.net>
X-Mailer: git-send-email 1.6.3.3
In-Reply-To: <20100513095749.GA25909@comet.dominikbrodowski.net>
References: <20100513095749.GA25909@comet.dominikbrodowski.net>
X-CRM114-Version: 20090807-BlameThorstenAndJenny ( TRE 0.7.6 (BSD) )
	MR-646709E3
X-CRM114-CacheID: sfid-20100513_060025_761574_EE078B25 
X-CRM114-Status: GOOD (  14.07  )
X-Spam-Score: 0.0 (/)
X-Spam-Report: SpamAssassin version 3.3.1 on bombadil.infradead.org summary:
	Content analysis details:   (0.0 points)
	pts rule name              description
	---- ----------------------
	--------------------------------------------------
Cc: Julia Lawall <julia@diku.dk>,
	Dominik Brodowski <linux@dominikbrodowski.net>
X-BeenThere: linux-mtd@lists.infradead.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Linux MTD discussion mailing list <linux-mtd.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/linux-mtd>,
	<mailto:linux-mtd-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/linux-mtd/>
List-Post: <mailto:linux-mtd@lists.infradead.org>
List-Help: <mailto:linux-mtd-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/linux-mtd>,
	<mailto:linux-mtd-request@lists.infradead.org?subject=subscribe>
MIME-Version: 1.0
Sender: linux-mtd-bounces@lists.infradead.org
Errors-To: linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

From: Julia Lawall <julia@diku.dk>

Moved the debugging message before the call to map_destroy, which frees its
argument.  The message is also slightly changed to reflect its new
position.

A simplified version of the semantic patch that finds this problem is as
follows: (http://coccinelle.lip6.fr/)

// <smpl>
@@
expression E,E2;
@@

del_mtd_device(E)
...
(
  E = E2
|
* E
)
// </smpl>

Signed-off-by: Julia Lawall <julia@diku.dk>
Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
---
 drivers/mtd/maps/pcmciamtd.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/drivers/mtd/maps/pcmciamtd.c b/drivers/mtd/maps/pcmciamtd.c
index 689d6a7..81159d7 100644
--- a/drivers/mtd/maps/pcmciamtd.c
+++ b/drivers/mtd/maps/pcmciamtd.c
@@ -692,8 +692,8 @@ static void pcmciamtd_detach(struct pcmcia_device *link)
 
 	if(dev->mtd_info) {
 		del_mtd_device(dev->mtd_info);
+		info("mtd%d: Removing", dev->mtd_info->index);
 		map_destroy(dev->mtd_info);
-		info("mtd%d: Removed", dev->mtd_info->index);
 	}
 
 	pcmciamtd_release(link);