[PATCH] regulator core: fix double-free in regulator_register() error path

Paul Walmsley Sat, 25 Apr 2009 04:28:49 -0700

During regulator registration, any error after device_register() will 
cause a double-free on the struct regulator_dev 'rdev'.  The bug is in 
drivers/regulator/core.c:regulator_register():


...
scrub:
        device_unregister(&rdev->dev);
clean:
        kfree(rdev);                           <---
        rdev = ERR_PTR(ret);
        goto out;
...

device_unregister() calls regulator_dev_release() which frees rdev.  The 
subsequent kfree corrupts memory and causes some OMAP3 systems to oops on 
boot in regulator_get().

Applies against 2.6.30-rc3.

Signed-off-by: Paul Walmsley <p...@pwsan.com>
---
 drivers/regulator/core.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c
index 01f7702..fabd2e0 100644
--- a/drivers/regulator/core.c
+++ b/drivers/regulator/core.c
@@ -2080,6 +2080,10 @@ out:
 
 scrub:
        device_unregister(&rdev->dev);
+       /* device core frees rdev */
+       rdev = ERR_PTR(ret);
+       goto out;
+
 clean:
        kfree(rdev);
        rdev = ERR_PTR(ret);
-- 
1.6.3.rc1.51.gea0b7

--
To unsubscribe from this list: send the line "unsubscribe linux-omap" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH] regulator core: fix double-free in regulator_register() error path

Reply via email to