LinuxLists.cc - [PATCH] dma: Fix a double free in dma_async_device

2021-03-22 13:19:13

Subject: [PATCH] dma: Fix a double free in dma_async_device_register

In dma_async_device_register, in the loop
list_for_each_entry(chan, &device->channels, device_node).
If __dma_async_device_channel_register(device, chan) failed
and it colud free chan->local and return err.

But in the err_out branch, it will free chan->local again.
My patch sets chan->local to NULL after it is freed in
__dma_async_device_channel_register().

Signed-off-by: Lv Yunlong <[email protected]>
---
drivers/dma/dmaengine.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/drivers/dma/dmaengine.c b/drivers/dma/dmaengine.c
index fe6a460c4373..af3ee288bc11 100644
--- a/drivers/dma/dmaengine.c
+++ b/drivers/dma/dmaengine.c
@@ -1086,6 +1086,7 @@ static int __dma_async_device_channel_register(struct dma_device *device,
kfree(chan->dev);
err_free_local:
free_percpu(chan->local);
+ chan->local = NULL;
return rc;
}

--
2.25.1