From 6a88231fc7da311e4da4ce2011d1a132c80c145a Mon Sep 17 00:00:00 2001
From: Max Asbock <masbock@us.ibm.com>
Date: Thu, 9 Mar 2006 17:33:48 -0800
Subject: [PATCH] ibmasm: use after free fix

The kobject_put() can free the memory at *cmd, but cmd->lock points to a
persistent lock that is not freed with cmd.

Signed-off-by: Max Asbock <masbock@us.ibm.com>
Cc: Vernon Mauery <vernux@us.ibm.com>
Cc: Srihari Vijayaraghavan <sriharivijayaraghavan@yahoo.com.au>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
---
 drivers/misc/ibmasm/ibmasm.h | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/drivers/misc/ibmasm/ibmasm.h b/drivers/misc/ibmasm/ibmasm.h
index 1cef2387fa65f0..6aba419544488c 100644
--- a/drivers/misc/ibmasm/ibmasm.h
+++ b/drivers/misc/ibmasm/ibmasm.h
@@ -101,15 +101,16 @@ struct command {
 static inline void command_put(struct command *cmd)
 {
 	unsigned long flags;
+	spinlock_t *lock = cmd->lock;
 
-	spin_lock_irqsave(cmd->lock, flags);
-        kobject_put(&cmd->kobj);
-	spin_unlock_irqrestore(cmd->lock, flags);
+	spin_lock_irqsave(lock, flags);
+	kobject_put(&cmd->kobj);
+	spin_unlock_irqrestore(lock, flags);
 }
 
 static inline void command_get(struct command *cmd)
 {
-        kobject_get(&cmd->kobj);
+	kobject_get(&cmd->kobj);
 }
 
 
-- 
cgit 1.2.3-korg