mtd: memory corruption in block2mtd.c
authorIngo van Lil <inguin@gmx.de>
Mon, 24 Mar 2008 19:29:44 +0000 (12:29 -0700)
committerLinus Torvalds <torvalds@linux-foundation.org>
Tue, 25 Mar 2008 02:22:19 +0000 (19:22 -0700)
The block2mtd driver (drivers/mtd/devices/block2mtd.c) will kfree an on-stack
pointer when handling an invalid argument line (e.g.
block2mtd=/dev/loop0,xxx).

The kfree was added some time ago when "name" was dynamically allocated.

Signed-off-by: Ingo van Lil <inguin@gmx.de>
Acked-by: Joern Engel <joern@lazybastard.org>
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: <stable@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
drivers/mtd/devices/block2mtd.c

index eeaaa9dce6ef62607ee510e580d647554bca8611..ad1880c67518eead88feb416b72a598fb86a9ba6 100644 (file)
@@ -408,7 +408,6 @@ static int block2mtd_setup2(const char *val)
        if (token[1]) {
                ret = parse_num(&erase_size, token[1]);
                if (ret) {
        if (token[1]) {
                ret = parse_num(&erase_size, token[1]);
                if (ret) {
-                       kfree(name);
                        parse_err("illegal erase size");
                }
        }
                        parse_err("illegal erase size");
                }
        }