diff options
author | Li Dongyang <jerry87905@gmail.com> | 2012-07-25 10:45:09 +1000 |
---|---|---|
committer | Matthew Garrett <mjg@redhat.com> | 2012-07-28 00:28:57 -0400 |
commit | 00d39597e825a2b09ec88d4dd429ff72fe60d9d4 (patch) | |
tree | 477f8a2d70956c05380043b60baeaab6bcc56b4f /drivers/platform | |
parent | d2be15bdda45b184d483754e434c9a1c8ed80a8e (diff) | |
download | op-kernel-dev-00d39597e825a2b09ec88d4dd429ff72fe60d9d4.zip op-kernel-dev-00d39597e825a2b09ec88d4dd429ff72fe60d9d4.tar.gz |
thinkpad_acpi: Free hotkey_keycode_map after unregistering tpacpi_inputdev
We should free hotkey_keycode_map after unregistering tpacpi_inputdev, to aviod
use after free like this:
[ 99.408388] =============================================================================
[ 99.408393] BUG kmalloc-64 (Not tainted): Poison overwritten
[ 99.408394] -----------------------------------------------------------------------------
[ 99.408394]
[ 99.408398] INFO: 0xf2751962-0xf2751995. First byte 0x98 instead of 0x6b
[ 99.408402] INFO: Allocated in 0xfdc88c28 age=79 cpu=0 pid=1329
[ 99.408407] __slab_alloc.isra.50.constprop.56+0x49f/0x533
[ 99.408410] kmem_cache_alloc_trace+0x10d/0x140
[ 99.408412] 0xfdc88c28
[ 99.408414] 0xfdc898cc
[ 99.408417] do_one_initcall+0x112/0x160
[ 99.408420] sys_init_module+0xe6d/0x1bc0
[ 99.408422] sysenter_do_call+0x12/0x28
[ 99.408427] INFO: Freed in hotkey_exit+0x50/0xb0 [thinkpad_acpi] age=14 cpu=1 pid=1333
[ 99.408429] __slab_free+0x3d/0x30b
[ 99.408431] kfree+0x129/0x140
[ 99.408435] hotkey_exit+0x50/0xb0 [thinkpad_acpi]
[ 99.408438] ibm_exit+0xe3/0x1a0 [thinkpad_acpi]
[ 99.408441] thinkpad_acpi_module_exit+0x35/0x208 [thinkpad_acpi]
[ 99.408443] sys_delete_module+0x11f/0x280
[ 99.408445] sysenter_do_call+0x12/0x28
[ 99.408447] INFO: Slab 0xf4d5ea20 objects=17 used=17 fp=0x (null) flags=0x40000080
[ 99.408449] INFO: Object 0xf2751960 @offset=2400 fp=0xf2751780
[ 99.408449]
[ 99.408452] Bytes b4 f2751950: 64 02 00 00 ae ce fe ff 5a 5a 5a 5a 5a 5a 5a 5a d.......ZZZZZZZZ
[ 99.408454] Object f2751960: 6b 6b 98 00 ec 00 8e 00 ee 00 6b 6b e3 00 bf 00 kk........kk....
[ 99.408456] Object f2751970: c2 00 6b 6b 6b 6b cd 00 6b 6b 6b 6b 6b 6b e1 00 ..kkkk..kkkkkk..
[ 99.408458] Object f2751980: e0 00 e4 00 6b 6b 74 01 73 00 72 00 71 00 94 00 ....kkt.s.r.q...
[ 99.408460] Object f2751990: 6b 6b 6b 6b f8 00 6b 6b 6b 6b 6b 6b 6b 6b 6b a5 kkkk..kkkkkkkkk.
[ 99.408462] Redzone f27519a0: bb bb bb bb ....
Signed-off-by: Li Dongyang <Jerry87905@gmail.com>
Signed-off-by: Matthew Garrett <mjg@redhat.com>
Diffstat (limited to 'drivers/platform')
-rw-r--r-- | drivers/platform/x86/thinkpad_acpi.c | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/drivers/platform/x86/thinkpad_acpi.c b/drivers/platform/x86/thinkpad_acpi.c index ae20355..e7f7328 100644 --- a/drivers/platform/x86/thinkpad_acpi.c +++ b/drivers/platform/x86/thinkpad_acpi.c @@ -3015,8 +3015,6 @@ static void hotkey_exit(void) if (hotkey_dev_attributes) delete_attr_set(hotkey_dev_attributes, &tpacpi_pdev->dev.kobj); - kfree(hotkey_keycode_map); - dbg_printk(TPACPI_DBG_EXIT | TPACPI_DBG_HKEY, "restoring original HKEY status and mask\n"); /* yes, there is a bitwise or below, we want the @@ -8937,6 +8935,7 @@ static void thinkpad_acpi_module_exit(void) input_unregister_device(tpacpi_inputdev); else input_free_device(tpacpi_inputdev); + kfree(hotkey_keycode_map); } if (tpacpi_hwmon) |