evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

regulator: core: correct double remove in rdev_deinit_debugfs

Browse source 
The current ordering of statements in the rdev_deinit_debugfs()
function causes freed memory to be dereferenced.  This occurs
because the regulator_put(rdev->debug_consumer) call results in
debugfs_remove_recursive() being called on
rdev->debug_consumer->debugfs after it was previously removed
by the debugfs_remove_recursive() call to the parent dentry
rdev->debugfs.

Correct this by setting rdev->debug_consumer->debugfs to NULL
after calling debugfs_remove_recursive() for the parent directory
rdev->debugfs.  This ensures that the regulator_put() call does
not try to remove the already removed subdirectory and also that
the debugfs callbacks which make use of rdev->debug_consumer are
removed before rdev->debug_consumer is freed in the regulator_put()
call.

Change-Id: Icb7da7949e401f64cf9e71c732cb40e43ddbdc01
Signed-off-by: David Collins <collinsd@codeaurora.org>
This commit is contained in:
David Collins 2015-11-09 12:15:29 -08:00 committed by Rohit Vaswani
parent 40456168db
commit a118e09f3c
1 changed files with 2 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
drivers/regulator/core.c
View file

@ -4187,6 +4187,8 @@ static void rdev_deinit_debugfs(struct regulator_dev *rdev)
{
if (!IS_ERR_OR_NULL(rdev)) {
debugfs_remove_recursive(rdev->debugfs);
if (rdev->debug_consumer)
rdev->debug_consumer->debugfs = NULL;
regulator_put(rdev->debug_consumer);
}
}