summaryrefslogtreecommitdiff
path: root/drivers
diff options
context:
space:
mode:
authorJulia Lawall <julia@diku.dk>2010-07-30 19:17:28 +0400
committerRussell King <rmk+kernel@arm.linux.org.uk>2010-07-31 02:19:30 +0400
commitf2d2420bbf4bb125ea5f2e1573d4da6b668fc78a (patch)
treeb6a074ce9a14e7fc1f99641bb3e47b83417f34eb /drivers
parent74bc80931c8bc34d24545f992a35349ad548897c (diff)
downloadlinux-f2d2420bbf4bb125ea5f2e1573d4da6b668fc78a.tar.xz
SA1111: Eliminate use after free
__sa1111_remove always frees its argument, so the subsequent reference to sachip->saved_state represents a use after free. __sa1111_remove does not appear to use the saved_state field, so the patch simply frees it first. A simplified version of the semantic patch that finds this problem is as follows: (http://coccinelle.lip6.fr/) // <smpl> @@ expression E,E2; @@ __sa1111_remove(E) ... ( E = E2 | * E ) // </smpl> Signed-off-by: Julia Lawall <julia@diku.dk> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Diffstat (limited to 'drivers')
0 files changed, 0 insertions, 0 deletions