| Message ID | 1555572178-73786-1-git-send-email-bianpan2016@163.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | stm class: Fix possible double free | expand |
On 4/18/2019 12:52 PM, Pan Bian wrote: > The function stm_register_device() calls put_device(&stm->dev) to > release allocated memory (in stm_device_release()) on error paths. > However, after that, the freed memory stm is released again, resulting > in a double free bug. There is a similar issue in the function > stm_source_register_device. This patch fixes these issues. > > Signed-off-by: Pan Bian <bianpan2016@163.com> Looks good to me. Reviewed-by: Mukesh Ojha <mojha@codeaurora.org> Cheers, -Mukesh > --- > drivers/hwtracing/stm/core.c | 9 ++++----- > 1 file changed, 4 insertions(+), 5 deletions(-) > > diff --git a/drivers/hwtracing/stm/core.c b/drivers/hwtracing/stm/core.c > index c7ba8ac..cfb5c4d 100644 > --- a/drivers/hwtracing/stm/core.c > +++ b/drivers/hwtracing/stm/core.c > @@ -886,8 +886,10 @@ int stm_register_device(struct device *parent, struct stm_data *stm_data, > return -ENOMEM; > > stm->major = register_chrdev(0, stm_data->name, &stm_fops); > - if (stm->major < 0) > - goto err_free; > + if (stm->major < 0) { > + vfree(stm); > + return err; > + } > > device_initialize(&stm->dev); > stm->dev.devt = MKDEV(stm->major, 0); > @@ -933,8 +935,6 @@ int stm_register_device(struct device *parent, struct stm_data *stm_data, > > /* matches device_initialize() above */ > put_device(&stm->dev); > -err_free: > - vfree(stm); > > return err; > } > @@ -1277,7 +1277,6 @@ int stm_source_register_device(struct device *parent, > > err: > put_device(&src->dev); > - kfree(src); > > return err; > }
diff --git a/drivers/hwtracing/stm/core.c b/drivers/hwtracing/stm/core.c index c7ba8ac..cfb5c4d 100644 --- a/drivers/hwtracing/stm/core.c +++ b/drivers/hwtracing/stm/core.c @@ -886,8 +886,10 @@ int stm_register_device(struct device *parent, struct stm_data *stm_data, return -ENOMEM; stm->major = register_chrdev(0, stm_data->name, &stm_fops); - if (stm->major < 0) - goto err_free; + if (stm->major < 0) { + vfree(stm); + return err; + } device_initialize(&stm->dev); stm->dev.devt = MKDEV(stm->major, 0); @@ -933,8 +935,6 @@ int stm_register_device(struct device *parent, struct stm_data *stm_data, /* matches device_initialize() above */ put_device(&stm->dev); -err_free: - vfree(stm); return err; } @@ -1277,7 +1277,6 @@ int stm_source_register_device(struct device *parent, err: put_device(&src->dev); - kfree(src); return err; }
The function stm_register_device() calls put_device(&stm->dev) to release allocated memory (in stm_device_release()) on error paths. However, after that, the freed memory stm is released again, resulting in a double free bug. There is a similar issue in the function stm_source_register_device. This patch fixes these issues. Signed-off-by: Pan Bian <bianpan2016@163.com> --- drivers/hwtracing/stm/core.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-)