parport: fix freeing freed memory
authorSudip Mukherjee <sudipm.mukherjee@gmail.com>
Mon, 15 Jun 2015 14:35:51 +0000 (20:05 +0530)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 23 Jul 2015 04:15:49 +0000 (21:15 -0700)
After the reference count becomes 0 when put_device() is called, it will
execute the release callback where we are freeing all the allocated
memory associated with the device. So if we just continue on the error
path then we are again freeing devname and trying to dereference par_dev
which has already been free-ed in the release callback.

Signed-off-by: Sudip Mukherjee <sudip@vectorindia.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/parport/share.c

index 1efec44e03aa55ac57317379f7b01565580a2e5f..c02b5f27798b0baeabb8cb49e3b80d3c137dbc04 100644 (file)
@@ -892,8 +892,10 @@ parport_register_dev_model(struct parport *port, const char *name,
        par_dev->dev.release = free_pardevice;
        par_dev->devmodel = true;
        ret = device_register(&par_dev->dev);
-       if (ret)
-               goto err_put_dev;
+       if (ret) {
+               put_device(&par_dev->dev);
+               goto err_put_port;
+       }
 
        /* Chain this onto the list */
        par_dev->prev = NULL;
@@ -940,8 +942,6 @@ parport_register_dev_model(struct parport *port, const char *name,
 
        return par_dev;
 
-err_put_dev:
-       put_device(&par_dev->dev);
 err_free_devname:
        kfree(devname);
 err_free_par_dev: