summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMax Asbock <masbock@us.ibm.com>2006-03-09 17:33:48 -0800
committerLinus Torvalds <torvalds@g5.osdl.org>2006-03-09 19:47:37 -0800
commit6a88231fc7da311e4da4ce2011d1a132c80c145a (patch)
tree383281e2e283a2f3da686d3ea57cd7c4777a7282
parenta6bf527091b1dd40f1b6a496812ce7520621c282 (diff)
downloadlinux-6a88231fc7da311e4da4ce2011d1a132c80c145a.tar.gz
linux-6a88231fc7da311e4da4ce2011d1a132c80c145a.tar.bz2
linux-6a88231fc7da311e4da4ce2011d1a132c80c145a.zip
[PATCH] ibmasm: use after free fix
The kobject_put() can free the memory at *cmd, but cmd->lock points to a persistent lock that is not freed with cmd. Signed-off-by: Max Asbock <masbock@us.ibm.com> Cc: Vernon Mauery <vernux@us.ibm.com> Cc: Srihari Vijayaraghavan <sriharivijayaraghavan@yahoo.com.au> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
-rw-r--r--drivers/misc/ibmasm/ibmasm.h9
1 files changed, 5 insertions, 4 deletions
diff --git a/drivers/misc/ibmasm/ibmasm.h b/drivers/misc/ibmasm/ibmasm.h
index 1cef2387fa65..6aba41954448 100644
--- a/drivers/misc/ibmasm/ibmasm.h
+++ b/drivers/misc/ibmasm/ibmasm.h
@@ -101,15 +101,16 @@ struct command {
static inline void command_put(struct command *cmd)
{
unsigned long flags;
+ spinlock_t *lock = cmd->lock;
- spin_lock_irqsave(cmd->lock, flags);
- kobject_put(&cmd->kobj);
- spin_unlock_irqrestore(cmd->lock, flags);
+ spin_lock_irqsave(lock, flags);
+ kobject_put(&cmd->kobj);
+ spin_unlock_irqrestore(lock, flags);
}
static inline void command_get(struct command *cmd)
{
- kobject_get(&cmd->kobj);
+ kobject_get(&cmd->kobj);
}