commit e480814f138cd5d78a8efe397756ba6b6518fdb6 ("[MTD] [MAPS]
physmap: fix wrong free and del_mtd_{partition,device}") introduces a
NULL pointer dereference in physmap_flash_remove when called from the
error path in physmap_flash_probe (if map_probe failed).
Call del_mtd_{partition,device} only if info->cmtd was not NULL.
Reported-by: pHilipp Zabel <[email protected]>
Signed-off-by: Atsushi Nemoto <[email protected]>
---
drivers/mtd/maps/physmap.c | 19 +++++++++++--------
1 files changed, 11 insertions(+), 8 deletions(-)
diff --git a/drivers/mtd/maps/physmap.c b/drivers/mtd/maps/physmap.c
index 4b122e7..2297182 100644
--- a/drivers/mtd/maps/physmap.c
+++ b/drivers/mtd/maps/physmap.c
@@ -46,16 +46,19 @@ static int physmap_flash_remove(struct platform_device *dev)
physmap_data = dev->dev.platform_data;
+ if (info->cmtd) {
#ifdef CONFIG_MTD_PARTITIONS
- if (info->nr_parts) {
- del_mtd_partitions(info->cmtd);
- kfree(info->parts);
- } else if (physmap_data->nr_parts)
- del_mtd_partitions(info->cmtd);
- else
- del_mtd_device(info->cmtd);
+ if (info->nr_parts || physmap_data->nr_parts)
+ del_mtd_partitions(info->cmtd);
+ else
+ del_mtd_device(info->cmtd);
#else
- del_mtd_device(info->cmtd);
+ del_mtd_device(info->cmtd);
+#endif
+ }
+#ifdef CONFIG_MTD_PARTITIONS
+ if (info->nr_parts)
+ kfree(info->parts);
#endif
#ifdef CONFIG_MTD_CONCAT
--
1.5.6.5