[PATCH 1/2] mtd/nand : don't free the global data fsl_lbc_ctrl_dev->nand in fsl_elbc_chip_remove()
Scott Wood
scottwood at freescale.com
Fri Jul 1 02:26:56 EST 2011
On Thu, 30 Jun 2011 14:53:13 +0300
Artem Bityutskiy <dedekind1 at gmail.com> wrote:
> On Wed, 2011-06-29 at 11:45 -0500, Scott Wood wrote:
> > If we're freeing fsl_lbc_ctrl, we'd better get rid of references to it...
>
> Yes, on the one hand this is a good defensive programming practice, on
> the other hand it hides double-free bugs. Like this patch fixes a
> double-free bug, and why it was noticed before? I thought may be because
> of this NULL assignment?
I'm not sure how the NULL assignment was hiding anything here. It was
probably hidden only because nobody tested it with suitable debug options
enabled since the code was last reorganized.
If the NULL assignment is dropped, consider what happens if the
fsl_elbc_nand module is removed then reinserted. On reinsertion, it will
see a non-NULL fsl_lbc_ctrl_dev->nand, and will skip allocating a new one.
Then you're referencing freed memory.
Looking more closely, the MAX_BANKS loop should be removed. Since the
reorganization, the platform device represents one chip, not the
controller, so we should only be removing that one chip.
-Scott
More information about the Linuxppc-dev
mailing list