| Message ID | 20221108122819.429975-1-yangyingliang@huawei.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | mmc: atmel-mci: fix return value check of mmc_add_host() | expand |
On Tue, 8 Nov 2022 at 13:29, Yang Yingliang <yangyingliang@huawei.com> wrote: > > mmc_add_host() may return error, if we ignore its return value, > it will lead two issues: > 1. The memory that allocated in mmc_alloc_host() is leaked. > 2. In the remove() path, mmc_remove_host() will be called to > delete device, but it's not added yet, it will lead a kernel > crash because of null-ptr-deref in device_del(). > > So fix this by checking the return value and calling mmc_free_host() > in the error path. > > Fixes: 7d2be0749a59 ("atmel-mci: Driver for Atmel on-chip MMC controllers") > Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> Applied for next, thanks! Kind regards Uffe > --- > drivers/mmc/host/atmel-mci.c | 9 ++++++--- > 1 file changed, 6 insertions(+), 3 deletions(-) > > diff --git a/drivers/mmc/host/atmel-mci.c b/drivers/mmc/host/atmel-mci.c > index 91d52ba7a39f..bb9bbf1c927b 100644 > --- a/drivers/mmc/host/atmel-mci.c > +++ b/drivers/mmc/host/atmel-mci.c > @@ -2222,6 +2222,7 @@ static int atmci_init_slot(struct atmel_mci *host, > { > struct mmc_host *mmc; > struct atmel_mci_slot *slot; > + int ret; > > mmc = mmc_alloc_host(sizeof(struct atmel_mci_slot), &host->pdev->dev); > if (!mmc) > @@ -2305,11 +2306,13 @@ static int atmci_init_slot(struct atmel_mci *host, > > host->slot[id] = slot; > mmc_regulator_get_supply(mmc); > - mmc_add_host(mmc); > + ret = mmc_add_host(mmc); > + if (ret) { > + mmc_free_host(mmc); > + return ret; > + } > > if (gpio_is_valid(slot->detect_pin)) { > - int ret; > - > timer_setup(&slot->detect_timer, atmci_detect_change, 0); > > ret = request_irq(gpio_to_irq(slot->detect_pin), > -- > 2.25.1 >
diff --git a/drivers/mmc/host/atmel-mci.c b/drivers/mmc/host/atmel-mci.c index 91d52ba7a39f..bb9bbf1c927b 100644 --- a/drivers/mmc/host/atmel-mci.c +++ b/drivers/mmc/host/atmel-mci.c @@ -2222,6 +2222,7 @@ static int atmci_init_slot(struct atmel_mci *host, { struct mmc_host *mmc; struct atmel_mci_slot *slot; + int ret; mmc = mmc_alloc_host(sizeof(struct atmel_mci_slot), &host->pdev->dev); if (!mmc) @@ -2305,11 +2306,13 @@ static int atmci_init_slot(struct atmel_mci *host, host->slot[id] = slot; mmc_regulator_get_supply(mmc); - mmc_add_host(mmc); + ret = mmc_add_host(mmc); + if (ret) { + mmc_free_host(mmc); + return ret; + } if (gpio_is_valid(slot->detect_pin)) { - int ret; - timer_setup(&slot->detect_timer, atmci_detect_change, 0); ret = request_irq(gpio_to_irq(slot->detect_pin),
mmc_add_host() may return error, if we ignore its return value, it will lead two issues: 1. The memory that allocated in mmc_alloc_host() is leaked. 2. In the remove() path, mmc_remove_host() will be called to delete device, but it's not added yet, it will lead a kernel crash because of null-ptr-deref in device_del(). So fix this by checking the return value and calling mmc_free_host() in the error path. Fixes: 7d2be0749a59 ("atmel-mci: Driver for Atmel on-chip MMC controllers") Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> --- drivers/mmc/host/atmel-mci.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-)