| Message ID | 20230227140614.2913474-1-srinivas.pandruvada@linux.intel.com (mailing list archive) |
|---|---|
| State | Accepted, archived |
| Headers | show |
| Series | platform/x86/intel/tpmi: Fix double free reported by Smatch | expand |
Hi, On 2/27/23 15:06, Srinivas Pandruvada wrote: > Fix warning: > drivers/platform/x86/intel/tpmi.c:253 tpmi_create_device() > warn: 'feature_vsec_dev' was already freed. > > If there is some error, feature_vsec_dev memory is freed as part > of resource managed call intel_vsec_add_aux(). So, additional > kfree() call is not required. > > Reordered res allocation and feature_vsec_dev, so that on error > only res is freed. > > Reported-by: Dan Carpenter <error27@gmail.com> > Link: https://lore.kernel.org/platform-driver-x86/Y%2FxYR7WGiPayZu%2FR@kili/T/#u > Fixes: 47731fd2865f ("platform/x86/intel: Intel TPMI enumeration driver") > Signed-off-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com> Thanks, I've applied this patch to my review-hans branch: https://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86.git/log/?h=review-hans I'll rebase that branch once 6.3-rc1 is out and then push the rebased patch to the fixes branch and include it in my next 6.3 fixes pull-req to Linus. Regards, Hans > --- > drivers/platform/x86/intel/tpmi.c | 14 +++++++------- > 1 file changed, 7 insertions(+), 7 deletions(-) > > diff --git a/drivers/platform/x86/intel/tpmi.c b/drivers/platform/x86/intel/tpmi.c > index c60733261c89..c999732b0f1e 100644 > --- a/drivers/platform/x86/intel/tpmi.c > +++ b/drivers/platform/x86/intel/tpmi.c > @@ -209,14 +209,14 @@ static int tpmi_create_device(struct intel_tpmi_info *tpmi_info, > if (!name) > return -EOPNOTSUPP; > > - feature_vsec_dev = kzalloc(sizeof(*feature_vsec_dev), GFP_KERNEL); > - if (!feature_vsec_dev) > + res = kcalloc(pfs->pfs_header.num_entries, sizeof(*res), GFP_KERNEL); > + if (!res) > return -ENOMEM; > > - res = kcalloc(pfs->pfs_header.num_entries, sizeof(*res), GFP_KERNEL); > - if (!res) { > + feature_vsec_dev = kzalloc(sizeof(*feature_vsec_dev), GFP_KERNEL); > + if (!feature_vsec_dev) { > ret = -ENOMEM; > - goto free_vsec; > + goto free_res; > } > > snprintf(feature_id_name, sizeof(feature_id_name), "tpmi-%s", name); > @@ -239,6 +239,8 @@ static int tpmi_create_device(struct intel_tpmi_info *tpmi_info, > /* > * intel_vsec_add_aux() is resource managed, no explicit > * delete is required on error or on module unload. > + * feature_vsec_dev memory is also freed as part of device > + * delete. > */ > ret = intel_vsec_add_aux(vsec_dev->pcidev, &vsec_dev->auxdev.dev, > feature_vsec_dev, feature_id_name); > @@ -249,8 +251,6 @@ static int tpmi_create_device(struct intel_tpmi_info *tpmi_info, > > free_res: > kfree(res); > -free_vsec: > - kfree(feature_vsec_dev); > > return ret; > }
diff --git a/drivers/platform/x86/intel/tpmi.c b/drivers/platform/x86/intel/tpmi.c index c60733261c89..c999732b0f1e 100644 --- a/drivers/platform/x86/intel/tpmi.c +++ b/drivers/platform/x86/intel/tpmi.c @@ -209,14 +209,14 @@ static int tpmi_create_device(struct intel_tpmi_info *tpmi_info, if (!name) return -EOPNOTSUPP; - feature_vsec_dev = kzalloc(sizeof(*feature_vsec_dev), GFP_KERNEL); - if (!feature_vsec_dev) + res = kcalloc(pfs->pfs_header.num_entries, sizeof(*res), GFP_KERNEL); + if (!res) return -ENOMEM; - res = kcalloc(pfs->pfs_header.num_entries, sizeof(*res), GFP_KERNEL); - if (!res) { + feature_vsec_dev = kzalloc(sizeof(*feature_vsec_dev), GFP_KERNEL); + if (!feature_vsec_dev) { ret = -ENOMEM; - goto free_vsec; + goto free_res; } snprintf(feature_id_name, sizeof(feature_id_name), "tpmi-%s", name); @@ -239,6 +239,8 @@ static int tpmi_create_device(struct intel_tpmi_info *tpmi_info, /* * intel_vsec_add_aux() is resource managed, no explicit * delete is required on error or on module unload. + * feature_vsec_dev memory is also freed as part of device + * delete. */ ret = intel_vsec_add_aux(vsec_dev->pcidev, &vsec_dev->auxdev.dev, feature_vsec_dev, feature_id_name); @@ -249,8 +251,6 @@ static int tpmi_create_device(struct intel_tpmi_info *tpmi_info, free_res: kfree(res); -free_vsec: - kfree(feature_vsec_dev); return ret; }
Fix warning: drivers/platform/x86/intel/tpmi.c:253 tpmi_create_device() warn: 'feature_vsec_dev' was already freed. If there is some error, feature_vsec_dev memory is freed as part of resource managed call intel_vsec_add_aux(). So, additional kfree() call is not required. Reordered res allocation and feature_vsec_dev, so that on error only res is freed. Reported-by: Dan Carpenter <error27@gmail.com> Link: https://lore.kernel.org/platform-driver-x86/Y%2FxYR7WGiPayZu%2FR@kili/T/#u Fixes: 47731fd2865f ("platform/x86/intel: Intel TPMI enumeration driver") Signed-off-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com> --- drivers/platform/x86/intel/tpmi.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-)