| Message ID | 20240413064051.31315-1-guanrui.huang@linux.alibaba.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | [v4,1/2] irqchip/gic-v3-its: Fix double free on error | expand |
On Sat, 13 Apr 2024 07:40:50 +0100, Guanrui Huang <guanrui.huang@linux.alibaba.com> wrote: > > In its_vpe_irq_domain_alloc, when its_vpe_init() returns an error > with i > 0, its_vpe_irq_domain_free may free bitmap and vprop_page, > and then there is a double free in its_vpe_irq_domain_alloc. > > Fix it by calling its_vpe_irq_domain_free directly, bitmap and > vprop_page will be freed in this function. > > Signed-off-by: Guanrui Huang <guanrui.huang@linux.alibaba.com> > --- > drivers/irqchip/irq-gic-v3-its.c | 9 ++------- > 1 file changed, 2 insertions(+), 7 deletions(-) > > diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c > index fca888b36680..2305f6b524a9 100644 > --- a/drivers/irqchip/irq-gic-v3-its.c > +++ b/drivers/irqchip/irq-gic-v3-its.c > @@ -4561,13 +4561,8 @@ static int its_vpe_irq_domain_alloc(struct irq_domain *domain, unsigned int virq > irqd_set_resend_when_in_progress(irq_get_irq_data(virq + i)); > } > > - if (err) { > - if (i > 0) > - its_vpe_irq_domain_free(domain, virq, i); > - > - its_lpi_free(bitmap, base, nr_ids); > - its_free_prop_table(vprop_page); > - } > + if (err) > + its_vpe_irq_domain_free(domain, virq, i); > > return err; > } Reviewed-by: Marc Zyngier <maz@kernel.org> M.
diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c index fca888b36680..2305f6b524a9 100644 --- a/drivers/irqchip/irq-gic-v3-its.c +++ b/drivers/irqchip/irq-gic-v3-its.c @@ -4561,13 +4561,8 @@ static int its_vpe_irq_domain_alloc(struct irq_domain *domain, unsigned int virq irqd_set_resend_when_in_progress(irq_get_irq_data(virq + i)); } - if (err) { - if (i > 0) - its_vpe_irq_domain_free(domain, virq, i); - - its_lpi_free(bitmap, base, nr_ids); - its_free_prop_table(vprop_page); - } + if (err) + its_vpe_irq_domain_free(domain, virq, i); return err; }
In its_vpe_irq_domain_alloc, when its_vpe_init() returns an error with i > 0, its_vpe_irq_domain_free may free bitmap and vprop_page, and then there is a double free in its_vpe_irq_domain_alloc. Fix it by calling its_vpe_irq_domain_free directly, bitmap and vprop_page will be freed in this function. Signed-off-by: Guanrui Huang <guanrui.huang@linux.alibaba.com> --- drivers/irqchip/irq-gic-v3-its.c | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-)