| Message ID | 20200902190709.v2.1.I56cf27cd59f4013bd074dc622c8b8248b034a4cc@changeid (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | [v2] rpmsg: Avoid double-free in mtk_rpmsg_register_device | expand |
On Wed, Sep 02, 2020 at 07:07:15PM +0800, Nicolas Boichat wrote: > If rpmsg_register_device fails, it will call > mtk_rpmsg_release_device which already frees mdev. > > Fixes: 7017996951fde84 ("rpmsg: add rpmsg support for mt8183 SCP.") The SHA should be 12 characters instead of 15. With that: Reviewed-by: Mathieu Poirier <mathieu.poirier@linaro.org> > Signed-off-by: Nicolas Boichat <drinkcat@chromium.org> > --- > > Changes in v2: > - Drop useless if and ret variable (Markus Elfring) > > drivers/rpmsg/mtk_rpmsg.c | 9 +-------- > 1 file changed, 1 insertion(+), 8 deletions(-) > > diff --git a/drivers/rpmsg/mtk_rpmsg.c b/drivers/rpmsg/mtk_rpmsg.c > index 83f2b8804ee989d..96a17ec2914011d 100644 > --- a/drivers/rpmsg/mtk_rpmsg.c > +++ b/drivers/rpmsg/mtk_rpmsg.c > @@ -200,7 +200,6 @@ static int mtk_rpmsg_register_device(struct mtk_rpmsg_rproc_subdev *mtk_subdev, > struct rpmsg_device *rpdev; > struct mtk_rpmsg_device *mdev; > struct platform_device *pdev = mtk_subdev->pdev; > - int ret; > > mdev = kzalloc(sizeof(*mdev), GFP_KERNEL); > if (!mdev) > @@ -219,13 +218,7 @@ static int mtk_rpmsg_register_device(struct mtk_rpmsg_rproc_subdev *mtk_subdev, > rpdev->dev.parent = &pdev->dev; > rpdev->dev.release = mtk_rpmsg_release_device; > > - ret = rpmsg_register_device(rpdev); > - if (ret) { > - kfree(mdev); > - return ret; > - } > - > - return 0; > + return rpmsg_register_device(rpdev); > } > > static void mtk_register_device_work_function(struct work_struct *register_work) > -- > 2.28.0.402.g5ffc5be6b7-goog >
On Thu, Sep 3, 2020 at 12:55 AM Mathieu Poirier <mathieu.poirier@linaro.org> wrote: > > On Wed, Sep 02, 2020 at 07:07:15PM +0800, Nicolas Boichat wrote: > > If rpmsg_register_device fails, it will call > > mtk_rpmsg_release_device which already frees mdev. > > > > Fixes: 7017996951fde84 ("rpmsg: add rpmsg support for mt8183 SCP.") > > The SHA should be 12 characters instead of 15. With that: Done in v3, thanks (and fixed my process for next time). > Reviewed-by: Mathieu Poirier <mathieu.poirier@linaro.org> > > > Signed-off-by: Nicolas Boichat <drinkcat@chromium.org> > > --- > > > > Changes in v2: > > - Drop useless if and ret variable (Markus Elfring) > > > > drivers/rpmsg/mtk_rpmsg.c | 9 +-------- > > 1 file changed, 1 insertion(+), 8 deletions(-) > > > > diff --git a/drivers/rpmsg/mtk_rpmsg.c b/drivers/rpmsg/mtk_rpmsg.c > > index 83f2b8804ee989d..96a17ec2914011d 100644 > > --- a/drivers/rpmsg/mtk_rpmsg.c > > +++ b/drivers/rpmsg/mtk_rpmsg.c > > @@ -200,7 +200,6 @@ static int mtk_rpmsg_register_device(struct mtk_rpmsg_rproc_subdev *mtk_subdev, > > struct rpmsg_device *rpdev; > > struct mtk_rpmsg_device *mdev; > > struct platform_device *pdev = mtk_subdev->pdev; > > - int ret; > > > > mdev = kzalloc(sizeof(*mdev), GFP_KERNEL); > > if (!mdev) > > @@ -219,13 +218,7 @@ static int mtk_rpmsg_register_device(struct mtk_rpmsg_rproc_subdev *mtk_subdev, > > rpdev->dev.parent = &pdev->dev; > > rpdev->dev.release = mtk_rpmsg_release_device; > > > > - ret = rpmsg_register_device(rpdev); > > - if (ret) { > > - kfree(mdev); > > - return ret; > > - } > > - > > - return 0; > > + return rpmsg_register_device(rpdev); > > } > > > > static void mtk_register_device_work_function(struct work_struct *register_work) > > -- > > 2.28.0.402.g5ffc5be6b7-goog > >
diff --git a/drivers/rpmsg/mtk_rpmsg.c b/drivers/rpmsg/mtk_rpmsg.c index 83f2b8804ee989d..96a17ec2914011d 100644 --- a/drivers/rpmsg/mtk_rpmsg.c +++ b/drivers/rpmsg/mtk_rpmsg.c @@ -200,7 +200,6 @@ static int mtk_rpmsg_register_device(struct mtk_rpmsg_rproc_subdev *mtk_subdev, struct rpmsg_device *rpdev; struct mtk_rpmsg_device *mdev; struct platform_device *pdev = mtk_subdev->pdev; - int ret; mdev = kzalloc(sizeof(*mdev), GFP_KERNEL); if (!mdev) @@ -219,13 +218,7 @@ static int mtk_rpmsg_register_device(struct mtk_rpmsg_rproc_subdev *mtk_subdev, rpdev->dev.parent = &pdev->dev; rpdev->dev.release = mtk_rpmsg_release_device; - ret = rpmsg_register_device(rpdev); - if (ret) { - kfree(mdev); - return ret; - } - - return 0; + return rpmsg_register_device(rpdev); } static void mtk_register_device_work_function(struct work_struct *register_work)
If rpmsg_register_device fails, it will call mtk_rpmsg_release_device which already frees mdev. Fixes: 7017996951fde84 ("rpmsg: add rpmsg support for mt8183 SCP.") Signed-off-by: Nicolas Boichat <drinkcat@chromium.org> --- Changes in v2: - Drop useless if and ret variable (Markus Elfring) drivers/rpmsg/mtk_rpmsg.c | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-)