Re: [PATCH next] firmware: thead,th1520-aon: Fix use after free in th1520_aon_init()

[Dan Carpenter]

On Sun, Mar 16, 2025 at 01:05:08PM +0100, Markus Elfring wrote:
> > +++ b/drivers/firmware/thead,th1520-aon.c
> > @@ -203,6 +203,7 @@ struct th1520_aon_chan *th1520_aon_init(struct device *dev)
> >  {
> >  	struct th1520_aon_chan *aon_chan;
> >  	struct mbox_client *cl;
> > +	int ret;
> >
> >  	aon_chan = kzalloc(sizeof(*aon_chan), GFP_KERNEL);
> >  	if (!aon_chan)
> > @@ -217,8 +218,9 @@ struct th1520_aon_chan *th1520_aon_init(struct device *dev)
> >  	aon_chan->ch = mbox_request_channel_byname(cl, "aon");
> >  	if (IS_ERR(aon_chan->ch)) {
> >  		dev_err(dev, "Failed to request aon mbox chan\n");
> > +		ret = PTR_ERR(aon_chan->ch);
> >  		kfree(aon_chan);
> > -		return ERR_CAST(aon_chan->ch);
> > +		return ERR_PTR(ret);
> >  	}
> >
> >  	mutex_init(&aon_chan->transaction_lock);
> 
> May the additional variable (for an information) be defined only for
> the affected if branch?
> Would a smaller scope be more appropriate here?

There are some variables which should always be at function scope and
"int ret" is one of those.

regards,
dan carpenter