regulator core: fix double-free in regulator_register() error path
During regulator registration, any error after device_register() will cause a double-free on the struct regulator_dev 'rdev'. The bug is in drivers/regulator/core.c:regulator_register(): ... scrub: device_unregister(&rdev->dev); clean: kfree(rdev); <--- rdev = ERR_PTR(ret); goto out; ... device_unregister() calls regulator_dev_release() which frees rdev. The subsequent kfree corrupts memory and causes some OMAP3 systems to oops on boot in regulator_get(). Applies against 2.6.30-rc3. Signed-off-by: Paul Walmsley <paul@pwsan.com> Acked-by: Mark Brown <broonie@opensource.wolfsonmicro.com> Signed-off-by: Liam Girdwood <lrg@slimlogic.co.uk>
This commit is contained in:
parent
cd78dfc6c6
commit
53032dafc6
1 changed files with 4 additions and 0 deletions
|
@ -2080,6 +2080,10 @@ struct regulator_dev *regulator_register(struct regulator_desc *regulator_desc,
|
|||
|
||||
scrub:
|
||||
device_unregister(&rdev->dev);
|
||||
/* device core frees rdev */
|
||||
rdev = ERR_PTR(ret);
|
||||
goto out;
|
||||
|
||||
clean:
|
||||
kfree(rdev);
|
||||
rdev = ERR_PTR(ret);
|
||||
|
|
Loading…
Reference in a new issue