diff mbox series

[v2,1/2] clk: renesas: fix a double free on error

Message ID YMtYs7LVveYH4eRe@mwanda (mailing list archive)
State Accepted
Delegated to: Geert Uytterhoeven
Headers show
Series [v2,1/2] clk: renesas: fix a double free on error | expand

Commit Message

Dan Carpenter June 17, 2021, 2:14 p.m. UTC
The "pll_clk" and "clock" pointers are allocated with devm_kzalloc() so
freeing them with kfree() will lead to a double free.  This would only
happen if probe failed, and the system is not bootable.

Fixes: ef3c613ccd68 ("clk: renesas: Add CPG core wrapper for RZ/G2L SoC")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
V2: Fix "pll_clk" as well.

 drivers/clk/renesas/renesas-rzg2l-cpg.c | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

Comments

Prabhakar Mahadev Lad June 17, 2021, 2:23 p.m. UTC | #1
Hi Dan,

Thank you for the fix.

> -----Original Message-----
> From: Dan Carpenter <dan.carpenter@oracle.com>
> Sent: 17 June 2021 15:14
> To: Geert Uytterhoeven <geert+renesas@glider.be>
> Cc: Michael Turquette <mturquette@baylibre.com>; Stephen Boyd <sboyd@kernel.org>; Prabhakar Mahadev
> Lad <prabhakar.mahadev-lad.rj@bp.renesas.com>; Biju Das <biju.das.jz@bp.renesas.com>; linux-renesas-
> soc@vger.kernel.org; linux-clk@vger.kernel.org; kernel-janitors@vger.kernel.org
> Subject: [PATCH v2 1/2] clk: renesas: fix a double free on error
> 
> The "pll_clk" and "clock" pointers are allocated with devm_kzalloc() so freeing them with kfree() will
> lead to a double free.  This would only happen if probe failed, and the system is not bootable.
> 
> Fixes: ef3c613ccd68 ("clk: renesas: Add CPG core wrapper for RZ/G2L SoC")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> V2: Fix "pll_clk" as well.
> 
>  drivers/clk/renesas/renesas-rzg2l-cpg.c | 7 +------
>  1 file changed, 1 insertion(+), 6 deletions(-)
> 
Reviewed-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>

Also Reported-by tag,

Reported-by: kernel test robot <lkp@intel.com>

Cheers,
Prabhakar

> diff --git a/drivers/clk/renesas/renesas-rzg2l-cpg.c b/drivers/clk/renesas/renesas-rzg2l-cpg.c
> index 5009b9e48b13..7ba36f19896f 100644
> --- a/drivers/clk/renesas/renesas-rzg2l-cpg.c
> +++ b/drivers/clk/renesas/renesas-rzg2l-cpg.c
> @@ -199,11 +199,7 @@ rzg2l_cpg_pll_clk_register(const struct cpg_core_clk *core,
>  	pll_clk->priv = priv;
>  	pll_clk->type = core->type;
> 
> -	clk = clk_register(NULL, &pll_clk->hw);
> -	if (IS_ERR(clk))
> -		kfree(pll_clk);
> -
> -	return clk;
> +	return clk_register(NULL, &pll_clk->hw);
>  }
> 
>  static struct clk
> @@ -473,7 +469,6 @@ rzg2l_cpg_register_mod_clk(const struct rzg2l_mod_clk *mod,
>  fail:
>  	dev_err(dev, "Failed to register %s clock %s: %ld\n", "module",
>  		mod->name, PTR_ERR(clk));
> -	kfree(clock);
>  }
> 
>  #define rcdev_to_priv(x)	container_of(x, struct rzg2l_cpg_priv, rcdev)
> --
> 2.30.2
Geert Uytterhoeven June 17, 2021, 2:48 p.m. UTC | #2
On Thu, Jun 17, 2021 at 4:14 PM Dan Carpenter <dan.carpenter@oracle.com> wrote:
> The "pll_clk" and "clock" pointers are allocated with devm_kzalloc() so
> freeing them with kfree() will lead to a double free.  This would only
> happen if probe failed, and the system is not bootable.
>
> Fixes: ef3c613ccd68 ("clk: renesas: Add CPG core wrapper for RZ/G2L SoC")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> V2: Fix "pll_clk" as well.

Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
i.e. will queue in renesas-clk for v5.15.

Gr{oetje,eeting}s,

                        Geert
diff mbox series

Patch

diff --git a/drivers/clk/renesas/renesas-rzg2l-cpg.c b/drivers/clk/renesas/renesas-rzg2l-cpg.c
index 5009b9e48b13..7ba36f19896f 100644
--- a/drivers/clk/renesas/renesas-rzg2l-cpg.c
+++ b/drivers/clk/renesas/renesas-rzg2l-cpg.c
@@ -199,11 +199,7 @@  rzg2l_cpg_pll_clk_register(const struct cpg_core_clk *core,
 	pll_clk->priv = priv;
 	pll_clk->type = core->type;
 
-	clk = clk_register(NULL, &pll_clk->hw);
-	if (IS_ERR(clk))
-		kfree(pll_clk);
-
-	return clk;
+	return clk_register(NULL, &pll_clk->hw);
 }
 
 static struct clk
@@ -473,7 +469,6 @@  rzg2l_cpg_register_mod_clk(const struct rzg2l_mod_clk *mod,
 fail:
 	dev_err(dev, "Failed to register %s clock %s: %ld\n", "module",
 		mod->name, PTR_ERR(clk));
-	kfree(clock);
 }
 
 #define rcdev_to_priv(x)	container_of(x, struct rzg2l_cpg_priv, rcdev)