mirror of https://github.com/torvalds/linux.git
ca19808bc6
In docg3_release(), the docg3 pointer is obtained from
cascade->floors[0]->priv before the loop that calls
doc_release_device() on each floor. doc_release_device() frees the
docg3 struct via kfree(docg3) at line 1881. After the loop,
docg3->cascade->bch dereferences the already-freed pointer.
Fix this by accessing cascade->bch directly, which is equivalent
since docg3->cascade points back to the same cascade struct, and
is already available as a local variable. This also removes the
now-unused docg3 local variable.
Fixes:
|
||
|---|---|---|
| .. | ||
| Kconfig | ||
| Makefile | ||
| bcm47xxsflash.c | ||
| bcm47xxsflash.h | ||
| block2mtd.c | ||
| docg3.c | ||
| docg3.h | ||
| mchp23k256.c | ||
| mchp48l640.c | ||
| ms02-nv.c | ||
| ms02-nv.h | ||
| mtd_dataflash.c | ||
| mtd_intel_dg.c | ||
| mtdram.c | ||
| phram.c | ||
| pmc551.c | ||
| powernv_flash.c | ||
| serial_flash_cmds.h | ||
| slram.c | ||
| spear_smi.c | ||
| sst25l.c | ||
| st_spi_fsm.c | ||