Message ID | YMtQN++uwH41TAg0@mwanda (mailing list archive) |
---|---|
State | Awaiting Upstream, archived |
Headers | show |
Series | clk: renesas: fix a double free on error | expand |
Hi Dan, On Thu, Jun 17, 2021 at 3:38 PM Dan Carpenter <dan.carpenter@oracle.com> wrote: > The "clock" pointer is allocated with devm_kzalloc() so freeing it > here will lead to a double free. > > Fixes: ef3c613ccd68 ("clk: renesas: Add CPG core wrapper for RZ/G2L SoC") > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Thanks for your patch! While the double free is unlikely to happen (the error is not propagated upstream, and the driver cannot be unloaded), kernel test robot reported two of these errors. The other one is at line 202. Care to fix that as well? > --- a/drivers/clk/renesas/renesas-rzg2l-cpg.c > +++ b/drivers/clk/renesas/renesas-rzg2l-cpg.c > @@ -473,7 +473,6 @@ rzg2l_cpg_register_mod_clk(const struct rzg2l_mod_clk *mod, > fail: > dev_err(dev, "Failed to register %s clock %s: %ld\n", "module", > mod->name, PTR_ERR(clk)); > - kfree(clock); > } Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be> Gr{oetje,eeting}s, Geert -- Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org In personal conversations with technical people, I call myself a hacker. But when I'm talking to journalists I just say "programmer" or something like that. -- Linus Torvalds
On Thu, Jun 17, 2021 at 03:45:50PM +0200, Geert Uytterhoeven wrote: > Hi Dan, > > On Thu, Jun 17, 2021 at 3:38 PM Dan Carpenter <dan.carpenter@oracle.com> wrote: > > The "clock" pointer is allocated with devm_kzalloc() so freeing it > > here will lead to a double free. > > > > Fixes: ef3c613ccd68 ("clk: renesas: Add CPG core wrapper for RZ/G2L SoC") > > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > > Thanks for your patch! > > While the double free is unlikely to happen (the error is not > propagated upstream, and the driver cannot be unloaded), kernel > test robot reported two of these errors. The other one is at line 202. > Care to fix that as well? Yeah, sure. I'll clean up the NULL vs error pointer mixing as well. regards, dan carpenter
diff --git a/drivers/clk/renesas/renesas-rzg2l-cpg.c b/drivers/clk/renesas/renesas-rzg2l-cpg.c index 5009b9e48b13..9516fb4d93e2 100644 --- a/drivers/clk/renesas/renesas-rzg2l-cpg.c +++ b/drivers/clk/renesas/renesas-rzg2l-cpg.c @@ -473,7 +473,6 @@ rzg2l_cpg_register_mod_clk(const struct rzg2l_mod_clk *mod, fail: dev_err(dev, "Failed to register %s clock %s: %ld\n", "module", mod->name, PTR_ERR(clk)); - kfree(clock); } #define rcdev_to_priv(x) container_of(x, struct rzg2l_cpg_priv, rcdev)
The "clock" pointer is allocated with devm_kzalloc() so freeing it here will lead to a double free. Fixes: ef3c613ccd68 ("clk: renesas: Add CPG core wrapper for RZ/G2L SoC") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> --- drivers/clk/renesas/renesas-rzg2l-cpg.c | 1 - 1 file changed, 1 deletion(-)