From: Paul Walmsley <paul@pwsan.com>
Date: Sat, 25 Apr 2009 11:28:36 +0000 (-0600)
Subject: regulator core: fix double-free in regulator_register() error path
X-Git-Tag: 2.1b_release~12793^2~3
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=53032dafc6b93ac178ca2340ff8eb4ee2b3d1a92;p=platform%2Fkernel%2Fkernel-mfld-blackbay.git

regulator core: fix double-free in regulator_register() error path

During regulator registration, any error after device_register() will
cause a double-free on the struct regulator_dev 'rdev'.  The bug is in
drivers/regulator/core.c:regulator_register():

...
scrub:
	device_unregister(&rdev->dev);
clean:
	kfree(rdev);                           <---
	rdev = ERR_PTR(ret);
	goto out;
...

device_unregister() calls regulator_dev_release() which frees rdev.  The
subsequent kfree corrupts memory and causes some OMAP3 systems to oops on
boot in regulator_get().

Applies against 2.6.30-rc3.

Signed-off-by: Paul Walmsley <paul@pwsan.com>
Acked-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Signed-off-by: Liam Girdwood <lrg@slimlogic.co.uk>
---

diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c
index cb62be6..2f14c16 100644
--- a/drivers/regulator/core.c
+++ b/drivers/regulator/core.c
@@ -2080,6 +2080,10 @@ out:
 
 scrub:
 	device_unregister(&rdev->dev);
+	/* device core frees rdev */
+	rdev = ERR_PTR(ret);
+	goto out;
+
 clean:
 	kfree(rdev);
 	rdev = ERR_PTR(ret);