2024-03-21 06:38:53

by Dan Carpenter

[permalink] [raw]
Subject: [PATCH] pinctrl: core: delete incorrect free in pinctrl_enable()

The "pctldev" struct is allocated in devm_pinctrl_register_and_init().
It's a devm_ managed pointer that is freed by devm_pinctrl_dev_release(),
so freeing it in pinctrl_enable() will lead to a double free.

The devm_pinctrl_dev_release() function frees the pindescs and destroys
the mutex as well.

Fixes: 6118714275f0 ("pinctrl: core: Fix pinctrl_register_and_init() with pinctrl_enable()")
Signed-off-by: Dan Carpenter <[email protected]>
---
I spotted this during code review and have not tested it.

drivers/pinctrl/core.c | 8 +-------
1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/drivers/pinctrl/core.c b/drivers/pinctrl/core.c
index 6649357637ff..cffeb869130d 100644
--- a/drivers/pinctrl/core.c
+++ b/drivers/pinctrl/core.c
@@ -2124,13 +2124,7 @@ int pinctrl_enable(struct pinctrl_dev *pctldev)

error = pinctrl_claim_hogs(pctldev);
if (error) {
- dev_err(pctldev->dev, "could not claim hogs: %i\n",
- error);
- pinctrl_free_pindescs(pctldev, pctldev->desc->pins,
- pctldev->desc->npins);
- mutex_destroy(&pctldev->mutex);
- kfree(pctldev);
-
+ dev_err(pctldev->dev, "could not claim hogs: %i\n", error);
return error;
}

--
2.43.0



2024-03-28 23:05:59

by Linus Walleij

[permalink] [raw]
Subject: Re: [PATCH] pinctrl: core: delete incorrect free in pinctrl_enable()

On Thu, Mar 21, 2024 at 7:38 AM Dan Carpenter <dan.carpenter@linaroorg> wrote:

> The "pctldev" struct is allocated in devm_pinctrl_register_and_init().
> It's a devm_ managed pointer that is freed by devm_pinctrl_dev_release(),
> so freeing it in pinctrl_enable() will lead to a double free.
>
> The devm_pinctrl_dev_release() function frees the pindescs and destroys
> the mutex as well.
>
> Fixes: 6118714275f0 ("pinctrl: core: Fix pinctrl_register_and_init() with pinctrl_enable()")
> Signed-off-by: Dan Carpenter <[email protected]>

Great find!

Patch applied for fixes.

Thanks Dan,
Linus Walleij