Re: [PATCH] cpufreq: qcom-cpufreq-hw: Fix possible double free

Next message: Dmitry Torokhov: "[PATCH v2 18/20] Input: rmi4 - simplify size calculations in F12"
Previous message: Dmitry Torokhov: "[PATCH v2 17/20] Input: rmi4 - use sizeof(*ptr) and idiomatic checks in f12 allocators"
In reply to: Zhongqiu Han: "Re: [PATCH] cpufreq: qcom-cpufreq-hw: Fix possible double free"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Viresh Kumar

Date: Tue May 05 2026 - 01:07:50 EST

On 02-05-26, 03:00, Guangshuo Li wrote:
> qcom_cpufreq.data is allocated with devm_kzalloc() in probe() as an
> array of per-domain data. qcom_cpufreq_hw_cpu_init() stores a pointer to
> one element of this array in policy->driver_data.
>
> qcom_cpufreq_hw_cpu_exit() currently calls kfree() on policy->driver_data.
> This is not valid because the memory is devm-managed. For the first
> domain, this can free the devm-managed allocation while the devres entry
> is still active, leading to a possible double free when the platform
> device is later detached. For other domains, the pointer may refer to an
> element inside the array rather than the allocation base.
>
> Remove the kfree(data) call and let devres release qcom_cpufreq.data.
>
> This issue was found by a static analysis tool I am developing.
>
> Fixes: 054a3ef683a1 ("cpufreq: qcom-hw: Allocate qcom_cpufreq_data during probe")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Guangshuo Li <lgs201920130244@xxxxxxxxx>
> ---
> drivers/cpufreq/qcom-cpufreq-hw.c | 1 -
> 1 file changed, 1 deletion(-)

Applied. Thanks.

--
viresh