Patchwork mtd: Blackfin NFC: fix invalid free in remove()

login
register
mail settings
Submitter Mike Frysinger
Date Aug. 28, 2010, 8:42 p.m.
Message ID <1283028125-6027-1-git-send-email-vapier@gentoo.org>
Download mbox | patch
Permalink /patch/62926/
State Accepted, archived
Commit 8b865d5efd9205b131dd9a43a6f450c05d38aaa1
Headers show

Comments

Mike Frysinger - Aug. 28, 2010, 8:42 p.m.
Since info->mtd isn't dynamically allocated, we shouldn't attempt to
kfree() it.  Otherwise we get random fun corruption when unloading
the driver built as a module.

Signed-off-by: Mike Frysinger <vapier@gentoo.org>
---
note: this should be merged for 2.6.36 and probably sent to stable trees

 drivers/mtd/nand/bf5xx_nand.c |    7 +------
 1 files changed, 1 insertions(+), 6 deletions(-)
Artem Bityutskiy - Aug. 30, 2010, 12:58 p.m.
On Sat, 2010-08-28 at 16:42 -0400, Mike Frysinger wrote:
> Since info->mtd isn't dynamically allocated, we shouldn't attempt to
> kfree() it.  Otherwise we get random fun corruption when unloading
> the driver built as a module.
> 
> Signed-off-by: Mike Frysinger <vapier@gentoo.org>
> ---
> note: this should be merged for 2.6.36 and probably sent to stable trees

You send the same patch 2 times once with this note and the other time
without this note. Which one should be ignored?
Artem Bityutskiy - Aug. 30, 2010, 12:59 p.m.
On Mon, 2010-08-30 at 15:58 +0300, Artem Bityutskiy wrote:
> On Sat, 2010-08-28 at 16:42 -0400, Mike Frysinger wrote:
> > Since info->mtd isn't dynamically allocated, we shouldn't attempt to
> > kfree() it.  Otherwise we get random fun corruption when unloading
> > the driver built as a module.
> > 
> > Signed-off-by: Mike Frysinger <vapier@gentoo.org>
> > ---
> > note: this should be merged for 2.6.36 and probably sent to stable trees
> 
> You send the same patch 2 times once with this note and the other time
> without this note. Which one should be ignored?

I guess it is 2.6.36 material. Also, if you want this in -stable, add
corresponding CC please.
Mike Frysinger - Aug. 30, 2010, 1:31 p.m.
On Mon, Aug 30, 2010 at 08:58, Artem Bityutskiy wrote:
> On Sat, 2010-08-28 at 16:42 -0400, Mike Frysinger wrote:
>> Since info->mtd isn't dynamically allocated, we shouldn't attempt to
>> kfree() it.  Otherwise we get random fun corruption when unloading
>> the driver built as a module.
>>
>> Signed-off-by: Mike Frysinger <vapier@gentoo.org>
>> ---
>> note: this should be merged for 2.6.36 and probably sent to stable trees
>
> You send the same patch 2 times once with this note and the other time
> without this note. Which one should be ignored?

they're the same thing.  i used a wrong option with git-send-email.
-mike
Mike Frysinger - Aug. 30, 2010, 1:32 p.m.
On Mon, Aug 30, 2010 at 08:59, Artem Bityutskiy wrote:
> On Mon, 2010-08-30 at 15:58 +0300, Artem Bityutskiy wrote:
>> On Sat, 2010-08-28 at 16:42 -0400, Mike Frysinger wrote:
>> > Since info->mtd isn't dynamically allocated, we shouldn't attempt to
>> > kfree() it.  Otherwise we get random fun corruption when unloading
>> > the driver built as a module.
>> >
>> > Signed-off-by: Mike Frysinger <vapier@gentoo.org>
>> > ---
>> > note: this should be merged for 2.6.36 and probably sent to stable trees
>>
>> You send the same patch 2 times once with this note and the other time
>> without this note. Which one should be ignored?
>
> I guess it is 2.6.36 material. Also, if you want this in -stable, add
> corresponding CC please.

once it gets merged, then i can notify the stable guys
-mike
Artem Bityutskiy - Aug. 30, 2010, 3:10 p.m.
On Mon, 2010-08-30 at 09:32 -0400, Mike Frysinger wrote:
> On Mon, Aug 30, 2010 at 08:59, Artem Bityutskiy wrote:
> > On Mon, 2010-08-30 at 15:58 +0300, Artem Bityutskiy wrote:
> >> On Sat, 2010-08-28 at 16:42 -0400, Mike Frysinger wrote:
> >> > Since info->mtd isn't dynamically allocated, we shouldn't attempt to
> >> > kfree() it.  Otherwise we get random fun corruption when unloading
> >> > the driver built as a module.
> >> >
> >> > Signed-off-by: Mike Frysinger <vapier@gentoo.org>
> >> > ---
> >> > note: this should be merged for 2.6.36 and probably sent to stable trees
> >>
> >> You send the same patch 2 times once with this note and the other time
> >> without this note. Which one should be ignored?
> >
> > I guess it is 2.6.36 material. Also, if you want this in -stable, add
> > corresponding CC please.
> 
> once it gets merged, then i can notify the stable guys

AFAIK, this is not the way they prefer to work. The right protocol is
that you add 'Cc: stable@kernel.org' to the commit message, ane they
pick the patch. I might be mistaken, but AFAIK this is the way.
Mike Frysinger - Aug. 30, 2010, 3:14 p.m.
On Mon, Aug 30, 2010 at 11:10, Artem Bityutskiy wrote:
> On Mon, 2010-08-30 at 09:32 -0400, Mike Frysinger wrote:
>> On Mon, Aug 30, 2010 at 08:59, Artem Bityutskiy wrote:
>> > On Mon, 2010-08-30 at 15:58 +0300, Artem Bityutskiy wrote:
>> >> On Sat, 2010-08-28 at 16:42 -0400, Mike Frysinger wrote:
>> >> > Since info->mtd isn't dynamically allocated, we shouldn't attempt to
>> >> > kfree() it.  Otherwise we get random fun corruption when unloading
>> >> > the driver built as a module.
>> >> >
>> >> > Signed-off-by: Mike Frysinger <vapier@gentoo.org>
>> >> > ---
>> >> > note: this should be merged for 2.6.36 and probably sent to stable trees
>> >>
>> >> You send the same patch 2 times once with this note and the other time
>> >> without this note. Which one should be ignored?
>> >
>> > I guess it is 2.6.36 material. Also, if you want this in -stable, add
>> > corresponding CC please.
>>
>> once it gets merged, then i can notify the stable guys
>
> AFAIK, this is not the way they prefer to work. The right protocol is
> that you add 'Cc: stable@kernel.org' to the commit message, ane they
> pick the patch. I might be mistaken, but AFAIK this is the way.

np ... i'm not claiming to know more than you ;)
-mike

Patch

diff --git a/drivers/mtd/nand/bf5xx_nand.c b/drivers/mtd/nand/bf5xx_nand.c
index 162c5ea..6fbeefa 100644
--- a/drivers/mtd/nand/bf5xx_nand.c
+++ b/drivers/mtd/nand/bf5xx_nand.c
@@ -682,7 +682,6 @@  static int __devinit bf5xx_nand_add_partition(struct bf5xx_nand_info *info)
 static int __devexit bf5xx_nand_remove(struct platform_device *pdev)
 {
 	struct bf5xx_nand_info *info = to_nand_info(pdev);
-	struct mtd_info *mtd = NULL;
 
 	platform_set_drvdata(pdev, NULL);
 
@@ -690,11 +689,7 @@  static int __devexit bf5xx_nand_remove(struct platform_device *pdev)
 	 * and their partitions, then go through freeing the
 	 * resources used
 	 */
-	mtd = &info->mtd;
-	if (mtd) {
-		nand_release(mtd);
-		kfree(mtd);
-	}
+	nand_release(&info->mtd);
 
 	peripheral_free_list(bfin_nfc_pin_req);
 	bf5xx_nand_dma_remove(info);