f2d2420bbf
__sa1111_remove always frees its argument, so the subsequent reference to sachip->saved_state represents a use after free. __sa1111_remove does not appear to use the saved_state field, so the patch simply frees it first. A simplified version of the semantic patch that finds this problem is as follows: (http://coccinelle.lip6.fr/) // <smpl> @@ expression E,E2; @@ __sa1111_remove(E) ... ( E = E2 | * E ) // </smpl> Signed-off-by: Julia Lawall <julia@diku.dk> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk> |
||
---|---|---|
.. | ||
Kconfig | ||
Makefile | ||
clkdev.c | ||
dmabounce.c | ||
gic.c | ||
icst.c | ||
it8152.c | ||
locomo.c | ||
pl330.c | ||
sa1111.c | ||
scoop.c | ||
sharpsl_param.c | ||
time-acorn.c | ||
uengine.c | ||
via82c505.c | ||
vic.c |