[PATCH 5.15 267/846] wilc1000: fix double free error in probe()

From: Greg Kroah-Hartman
Date: Mon Jan 24 2022 - 17:48:18 EST

Next message: Greg Kroah-Hartman: "[PATCH 5.16 0880/1039] xfrm: fix policy lookup for ipv6 gre packets"
Previous message: Greg Kroah-Hartman: "[PATCH 5.15 353/846] ax25: uninitialized variable in ax25_setsockopt()"
In reply to: Greg Kroah-Hartman: "[PATCH 5.15 353/846] ax25: uninitialized variable in ax25_setsockopt()"
Next in thread: Greg Kroah-Hartman: "[PATCH 5.15 270/846] iwlwifi: mvm: fix 32-bit build in FTM"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Dan Carpenter <dan.carpenter@xxxxxxxxxx>

[ Upstream commit 4894edacfa93d7046bec4fc61fc402ac6a2ac9e8 ]

Smatch complains that there is a double free in probe:

drivers/net/wireless/microchip/wilc1000/spi.c:186 wilc_bus_probe() error: double free of 'spi_priv'
drivers/net/wireless/microchip/wilc1000/sdio.c:163 wilc_sdio_probe() error: double free of 'sdio_priv'

The problem is that wilc_netdev_cleanup() function frees "wilc->bus_data".
That's confusing and a layering violation. Leave the frees in probe(),
delete the free in wilc_netdev_cleanup(), and add some new frees to the
remove() functions.

Fixes: dc8b338f3bcd ("wilc1000: use goto labels on error path")
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Reviewed-by: Claudiu Beznea <claudiu.beznea@xxxxxxxxxxxxx>
Signed-off-by: Kalle Valo <kvalo@xxxxxxxxxx>
Link: https://lore.kernel.org/r/20211217150311.GC16611@kili
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
---
drivers/net/wireless/microchip/wilc1000/netdev.c | 1 -
drivers/net/wireless/microchip/wilc1000/sdio.c | 2 ++
drivers/net/wireless/microchip/wilc1000/spi.c | 2 ++
3 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/net/wireless/microchip/wilc1000/netdev.c b/drivers/net/wireless/microchip/wilc1000/netdev.c
index 7e4d9235251cb..9dfb1a285e6a4 100644
--- a/drivers/net/wireless/microchip/wilc1000/netdev.c
+++ b/drivers/net/wireless/microchip/wilc1000/netdev.c
@@ -901,7 +901,6 @@ void wilc_netdev_cleanup(struct wilc *wilc)

wilc_wlan_cfg_deinit(wilc);
wlan_deinit_locks(wilc);
- kfree(wilc->bus_data);
wiphy_unregister(wilc->wiphy);
wiphy_free(wilc->wiphy);
}
diff --git a/drivers/net/wireless/microchip/wilc1000/sdio.c b/drivers/net/wireless/microchip/wilc1000/sdio.c
index 42e03a701ae16..8b3b735231085 100644
--- a/drivers/net/wireless/microchip/wilc1000/sdio.c
+++ b/drivers/net/wireless/microchip/wilc1000/sdio.c
@@ -167,9 +167,11 @@ free:
static void wilc_sdio_remove(struct sdio_func *func)
{
struct wilc *wilc = sdio_get_drvdata(func);
+ struct wilc_sdio *sdio_priv = wilc->bus_data;

clk_disable_unprepare(wilc->rtc_clk);
wilc_netdev_cleanup(wilc);
+ kfree(sdio_priv);
}

static int wilc_sdio_reset(struct wilc *wilc)
diff --git a/drivers/net/wireless/microchip/wilc1000/spi.c b/drivers/net/wireless/microchip/wilc1000/spi.c
index dd481dc0b5ce0..c98c0999a6b67 100644
--- a/drivers/net/wireless/microchip/wilc1000/spi.c
+++ b/drivers/net/wireless/microchip/wilc1000/spi.c
@@ -182,9 +182,11 @@ free:
static int wilc_bus_remove(struct spi_device *spi)
{
struct wilc *wilc = spi_get_drvdata(spi);
+ struct wilc_spi *spi_priv = wilc->bus_data;

clk_disable_unprepare(wilc->rtc_clk);
wilc_netdev_cleanup(wilc);
+ kfree(spi_priv);

return 0;
}
--
2.34.1

Next message: Greg Kroah-Hartman: "[PATCH 5.16 0880/1039] xfrm: fix policy lookup for ipv6 gre packets"
Previous message: Greg Kroah-Hartman: "[PATCH 5.15 353/846] ax25: uninitialized variable in ax25_setsockopt()"
In reply to: Greg Kroah-Hartman: "[PATCH 5.15 353/846] ax25: uninitialized variable in ax25_setsockopt()"
Next in thread: Greg Kroah-Hartman: "[PATCH 5.15 270/846] iwlwifi: mvm: fix 32-bit build in FTM"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]