PM / devfreq: fix use after free in devfreq_remove_device

In devfreq_remove_device, calling _remove_devfreq will also free devfreq. Don't dereference devfreq->governor->no_central_polling after _remove_devfreq. Signed-off-by: Axel Lin <axel.lin@gmail.com> Acked-by: MyungJoo Ham <myungjoo.ham@samsung.com> Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl>

PM / devfreq: fix use after free in devfreq_remove_device
In devfreq_remove_device, calling _remove_devfreq will also free devfreq. Don't dereference devfreq->governor->no_central_polling after _remove_devfreq. Signed-off-by: Axel Lin <axel.lin@gmail.com> Acked-by: MyungJoo Ham <myungjoo.ham@samsung.com> Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl>
9f3bdd4f · Axel Lin · Rafael J. Wysocki · bc9f5449 · 9f3bdd4f
Commit 9f3bdd4f authored Nov 14, 2011 by Axel Lin Committed by Rafael J. Wysocki Nov 14, 2011
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 2 deletions

drivers/devfreq/devfreq.c drivers/devfreq/devfreq.c +6 -2

No files found.
--- a/drivers/devfreq/devfreq.c
+++ b/drivers/devfreq/devfreq.c
@@ -418,10 +418,14 @@ struct devfreq *devfreq_add_device(struct device *dev,
 */
 int devfreq_remove_device(struct devfreq *devfreq)
 {
+	bool central_polling;
 	if (!devfreq)
 		return -EINVAL;
-	if (!devfreq->governor->no_central_polling) {
+	central_polling = !devfreq->governor->no_central_polling;
+	if (central_polling) {
 		mutex_lock(&devfreq_list_lock);
 		while (wait_remove_device == devfreq) {
 			mutex_unlock(&devfreq_list_lock);
@@ -433,7 +437,7 @@ int devfreq_remove_device(struct devfreq *devfreq)
 	mutex_lock(&devfreq->lock);
 	_remove_devfreq(devfreq, false); /* it unlocks devfreq->lock */
-	if (!devfreq->governor->no_central_polling)
+	if (central_polling)
 		mutex_unlock(&devfreq_list_lock);
 	return 0;