Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752618AbbBESZ1 (ORCPT <rfc822;w@1wt.eu>);
	Thu, 5 Feb 2015 13:25:27 -0500
Received: from mail-wi0-f178.google.com ([209.85.212.178]:54189 "EHLO
	mail-wi0-f178.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751178AbbBESZ0 (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Thu, 5 Feb 2015 13:25:26 -0500
From: Alban Browaeys <alban.browaeys@gmail.com>
X-Google-Original-From: Alban Browaeys <prahal@yahoo.com>
To: Tomeu Vizoso <tomeu.vizoso@collabora.com>,
        Mike Turquette <mturquette@linaro.org>,
        Stephen Boyd <sboyd@codeaurora.org>
Cc: linux-kernel@vger.kernel.org, Alban Browaeys <prahal@yahoo.com>
Subject: [PATCH 1/2] clk: Fix __clk_get access to already freed owner field.
Date: Thu,  5 Feb 2015 19:24:49 +0100
Message-Id: <1423160690-7853-1-git-send-email-prahal@yahoo.com>
X-Mailer: git-send-email 2.1.4
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1758
Lines: 62

On the second call to __set_clk_parents from of_clk_set_defaults, here
when registering the second fimc device the kernel OOPS in an "unhandled
paging request at virtual address 6b6b6b77". This in __clk_get when
dereferencing clk->owner.

Move the clk free in the kref managed _clk_release call instead of
plain __clk_put.

Fixes: 035a61c314eb ("clk: Make clk API return per-user struct clk
instances)

Signed-off-by: Alban Browaeys <prahal@yahoo.com>
---
 drivers/clk/clk.c | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/drivers/clk/clk.c b/drivers/clk/clk.c
index df94668..8f33722 100644
--- a/drivers/clk/clk.c
+++ b/drivers/clk/clk.c
@@ -2485,15 +2485,18 @@ EXPORT_SYMBOL_GPL(clk_register);
  */
 static void __clk_release(struct kref *ref)
 {
-	struct clk_core *clk = container_of(ref, struct clk_core, ref);
-	int i = clk->num_parents;
+	struct clk_core *core = container_of(ref, struct clk_core, ref);
+	struct clk *clk = container_of(&core, struct clk, core);
+	int i = core->num_parents;
 
-	kfree(clk->parents);
+	kfree(core->parents);
 	while (--i >= 0)
-		kfree_const(clk->parent_names[i]);
+		kfree_const(core->parent_names[i]);
+
+	kfree(core->parent_names);
+	kfree_const(core->name);
+	kfree(core);
 
-	kfree(clk->parent_names);
-	kfree_const(clk->name);
 	kfree(clk);
 }
 
@@ -2671,8 +2674,6 @@ void __clk_put(struct clk *clk)
 	clk_prepare_unlock();
 
 	module_put(owner);
-
-	kfree(clk);
 }
 
 /***        clk rate change notifiers        ***/
-- 
2.1.4

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/