[PATCH] dma: Fix a double free in dma_async_device_register

From: Lv Yunlong
Date: Mon Mar 22 2021 - 09:18:36 EST

Next message: Tianjia Zhang: "[PATCH] sign-file: Fix confusing error messages"
Previous message: Alistair Francis: "[PATCH v6 1/3] dt-bindings: Add vendor prefix for reMarkable"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In dma_async_device_register, in the loop
list_for_each_entry(chan, &device->channels, device_node).
If __dma_async_device_channel_register(device, chan) failed
and it colud free chan->local and return err.

But in the err_out branch, it will free chan->local again.
My patch sets chan->local to NULL after it is freed in
__dma_async_device_channel_register().

Signed-off-by: Lv Yunlong <lyl2019@xxxxxxxxxxxxxxxx>
---
drivers/dma/dmaengine.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/drivers/dma/dmaengine.c b/drivers/dma/dmaengine.c
index fe6a460c4373..af3ee288bc11 100644
--- a/drivers/dma/dmaengine.c
+++ b/drivers/dma/dmaengine.c
@@ -1086,6 +1086,7 @@ static int __dma_async_device_channel_register(struct dma_device *device,
kfree(chan->dev);
err_free_local:
free_percpu(chan->local);
+ chan->local = NULL;
return rc;
}

--
2.25.1

Next message: Tianjia Zhang: "[PATCH] sign-file: Fix confusing error messages"
Previous message: Alistair Francis: "[PATCH v6 1/3] dt-bindings: Add vendor prefix for reMarkable"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]