Gitiles
Code Review Sign In
review.shift-gmbh.com / SHIFTPHONES / kernel / common / 9f3bdd4f937a75c4589a867dc1f8fefe09c1a618^! / .
commit9f3bdd4f937a75c4589a867dc1f8fefe09c1a618[log] [tgz]
authorAxel Lin <axel.lin@gmail.com>Mon Nov 14 23:31:29 2011 +0100
committerRafael J. Wysocki <rjw@sisk.pl>Mon Nov 14 23:31:29 2011 +0100
tree577e4177cb14c73220875eecebeea6dc3676d4b6
parentbc9f54498eadc5254378e376e8d2111cfd30b229 [diff]
PM / devfreq: fix use after free in devfreq_remove_device

In devfreq_remove_device, calling _remove_devfreq will also free devfreq.
Don't dereference devfreq->governor->no_central_polling after _remove_devfreq.

Signed-off-by: Axel Lin <axel.lin@gmail.com>
Acked-by: MyungJoo Ham <myungjoo.ham@samsung.com>
Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl>

diff --git a/drivers/devfreq/devfreq.c b/drivers/devfreq/devfreq.c
index d065925..59d24e9 100644
--- a/drivers/devfreq/devfreq.c
+++ b/drivers/devfreq/devfreq.c

@@ -418,10 +418,14 @@
  */
 int devfreq_remove_device(struct devfreq *devfreq)
 {
+	bool central_polling;
+
 	if (!devfreq)
 		return -EINVAL;
 
-	if (!devfreq->governor->no_central_polling) {
+	central_polling = !devfreq->governor->no_central_polling;
+
+	if (central_polling) {
 		mutex_lock(&devfreq_list_lock);
 		while (wait_remove_device == devfreq) {
 			mutex_unlock(&devfreq_list_lock);
@@ -433,7 +437,7 @@
 	mutex_lock(&devfreq->lock);
 	_remove_devfreq(devfreq, false); /* it unlocks devfreq->lock */
 
-	if (!devfreq->governor->no_central_polling)
+	if (central_polling)
 		mutex_unlock(&devfreq_list_lock);
 
 	return 0;