| Message ID | 20211208073544.GA22020@kili (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | media: c8sectpfe: fix double free in configure_channels() | expand |
Hi Dan On 12/8/21 8:35 AM, Dan Carpenter wrote: > The configure_channels() function has a double free because > configure_memdma_and_inputblock() calls free_input_block() and then > it's called again in the error handling code. > > Fixes: c5f5d0f99794 ("[media] c8sectpfe: STiH407/10 Linux DVB demux support") > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > --- > drivers/media/platform/sti/c8sectpfe/c8sectpfe-core.c | 8 +++----- > 1 file changed, 3 insertions(+), 5 deletions(-) > > diff --git a/drivers/media/platform/sti/c8sectpfe/c8sectpfe-core.c b/drivers/media/platform/sti/c8sectpfe/c8sectpfe-core.c > index e1f520903248..7bb1384e4bad 100644 > --- a/drivers/media/platform/sti/c8sectpfe/c8sectpfe-core.c > +++ b/drivers/media/platform/sti/c8sectpfe/c8sectpfe-core.c > @@ -925,7 +925,6 @@ static int c8sectpfe_remove(struct platform_device *pdev) > static int configure_channels(struct c8sectpfei *fei) > { > int index = 0, ret; > - struct channel_info *tsin; > struct device_node *child, *np = fei->dev->of_node; > > /* iterate round each tsin and configure memdma descriptor and IB hw */ > @@ -943,10 +942,9 @@ static int configure_channels(struct c8sectpfei *fei) > return 0; > > err_unmap: > - for (index = 0; index < fei->tsin_count; index++) { > - tsin = fei->channel_data[index]; > - free_input_block(fei, tsin); > - } > + while (--index >= 0) > + free_input_block(fei, fei->channel_data[index]); > + > return ret; > } > > Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com> Thanks Patrice
diff --git a/drivers/media/platform/sti/c8sectpfe/c8sectpfe-core.c b/drivers/media/platform/sti/c8sectpfe/c8sectpfe-core.c index e1f520903248..7bb1384e4bad 100644 --- a/drivers/media/platform/sti/c8sectpfe/c8sectpfe-core.c +++ b/drivers/media/platform/sti/c8sectpfe/c8sectpfe-core.c @@ -925,7 +925,6 @@ static int c8sectpfe_remove(struct platform_device *pdev) static int configure_channels(struct c8sectpfei *fei) { int index = 0, ret; - struct channel_info *tsin; struct device_node *child, *np = fei->dev->of_node; /* iterate round each tsin and configure memdma descriptor and IB hw */ @@ -943,10 +942,9 @@ static int configure_channels(struct c8sectpfei *fei) return 0; err_unmap: - for (index = 0; index < fei->tsin_count; index++) { - tsin = fei->channel_data[index]; - free_input_block(fei, tsin); - } + while (--index >= 0) + free_input_block(fei, fei->channel_data[index]); + return ret; }
The configure_channels() function has a double free because configure_memdma_and_inputblock() calls free_input_block() and then it's called again in the error handling code. Fixes: c5f5d0f99794 ("[media] c8sectpfe: STiH407/10 Linux DVB demux support") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> --- drivers/media/platform/sti/c8sectpfe/c8sectpfe-core.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-)