The "pctldev" struct is allocated in devm_pinctrl_register_and_init().
It's a devm_ managed pointer that is freed by devm_pinctrl_dev_release(),
so freeing it in pinctrl_enable() will lead to a double free.
The devm_pinctrl_dev_release() function frees the pindescs and destroys
the mutex as well.
Fixes: 6118714275f0 ("pinctrl: core: Fix pinctrl_register_and_init() with pinctrl_enable()")
Signed-off-by: Dan Carpenter <[email protected]>
---
I spotted this during code review and have not tested it.
drivers/pinctrl/core.c | 8 +-------
1 file changed, 1 insertion(+), 7 deletions(-)
diff --git a/drivers/pinctrl/core.c b/drivers/pinctrl/core.c
index 6649357637ff..cffeb869130d 100644
--- a/drivers/pinctrl/core.c
+++ b/drivers/pinctrl/core.c
@@ -2124,13 +2124,7 @@ int pinctrl_enable(struct pinctrl_dev *pctldev)
error = pinctrl_claim_hogs(pctldev);
if (error) {
- dev_err(pctldev->dev, "could not claim hogs: %i\n",
- error);
- pinctrl_free_pindescs(pctldev, pctldev->desc->pins,
- pctldev->desc->npins);
- mutex_destroy(&pctldev->mutex);
- kfree(pctldev);
-
+ dev_err(pctldev->dev, "could not claim hogs: %i\n", error);
return error;
}
--
2.43.0
On Thu, Mar 21, 2024 at 7:38 AM Dan Carpenter <dan.carpenter@linaroorg> wrote:
> The "pctldev" struct is allocated in devm_pinctrl_register_and_init().
> It's a devm_ managed pointer that is freed by devm_pinctrl_dev_release(),
> so freeing it in pinctrl_enable() will lead to a double free.
>
> The devm_pinctrl_dev_release() function frees the pindescs and destroys
> the mutex as well.
>
> Fixes: 6118714275f0 ("pinctrl: core: Fix pinctrl_register_and_init() with pinctrl_enable()")
> Signed-off-by: Dan Carpenter <[email protected]>
Great find!
Patch applied for fixes.
Thanks Dan,
Linus Walleij