Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S932436AbcDDVbY (ORCPT <rfc822;w@1wt.eu>);
	Mon, 4 Apr 2016 17:31:24 -0400
Received: from a.ns.miles-group.at ([95.130.255.143]:11949 "EHLO radon.swed.at"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S932390AbcDDVbW (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Mon, 4 Apr 2016 17:31:22 -0400
Subject: Re: [PATCH] mtd: gpmi: fix raw_buffer pointer double free issue
To: Han Xu <han.xu@nxp.com>, boris.brezillon@free-electrons.com,
        dwmw2@infradead.org, computersforpeace@gmail.com
References: <1459802489-30382-1-git-send-email-han.xu@nxp.com>
Cc: linux-mtd@lists.infradead.org, linux-kernel@vger.kernel.org
From: Richard Weinberger <richard@nod.at>
Message-ID: <5702DD24.3040003@nod.at>
Date: Mon, 4 Apr 2016 23:31:16 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
 Thunderbird/38.7.1
MIME-Version: 1.0
In-Reply-To: <1459802489-30382-1-git-send-email-han.xu@nxp.com>
Content-Type: text/plain; charset=iso-8859-15
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1117
Lines: 35

Am 04.04.2016 um 22:41 schrieb Han Xu:
> fix the raw_buffer pointer double free issue found by coverify.
> 
> CID 18344 (#2 of 2): Double free (USE_AFTER_FREE)
> 3. double_free: Calling gpmi_alloc_dma_buffer frees pointer
> this->raw_buffer which has already been freed
> 
> Signed-off-by: Han Xu <han.xu@nxp.com>
> ---
> 
> changes in v2:
>  - add coverity check log
> ---
>  drivers/mtd/nand/gpmi-nand/gpmi-nand.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/drivers/mtd/nand/gpmi-nand/gpmi-nand.c b/drivers/mtd/nand/gpmi-nand/gpmi-nand.c
> index 8122c69..dcb60b0 100644
> --- a/drivers/mtd/nand/gpmi-nand/gpmi-nand.c
> +++ b/drivers/mtd/nand/gpmi-nand/gpmi-nand.c
> @@ -797,6 +797,7 @@ static void gpmi_free_dma_buffer(struct gpmi_nand_data *this)
>  
>  	this->cmd_buffer	= NULL;
>  	this->data_buffer_dma	= NULL;
> +	this->raw_buffer	= NULL;
>  	this->page_buffer_virt	= NULL;
>  	this->page_buffer_size	=  0;

Reviewed-by: Richard Weinberger <richard@nod.at>

Aside of that, the driver should IMHO be fixed to not call
gpmi_free_dma_buffer() multiple times on the same buffer...

Thanks,
//richard