Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp262303yba; Thu, 18 Apr 2019 00:27:15 -0700 (PDT) X-Google-Smtp-Source: APXvYqw7Jf9pwp63DKaMf2Bf5OroQQVoyN5X3fNFUkMcKrWOyiJ5TWDrYxFHbLww3dzLsEqTe2Fs X-Received: by 2002:a62:7089:: with SMTP id l131mr95779670pfc.158.1555572435797; Thu, 18 Apr 2019 00:27:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1555572435; cv=none; d=google.com; s=arc-20160816; b=BVHG6BL31zHVJgORBBmZUN4wVAa9s6ZV6WdB76wIuGl6IuatUi56di0uBz8WUKHGsy JOWUKP5R9+TP8YXc8VExysmjBkH/F7aYcJltkEddQcQKhAbqexInGJNkvCi3GNLsH/TP kshkpjmSQk/+V9ckHi8akbtHyOajDpTCaKcIXNBJgMsjHSFHCb2ftu185uANUxEmElHT Tkv7ySNCIHNpT5RHiCj68C3nGBrcJHGeJQqdoKwvqUM3O0qLwt1C+qRrtQdpp/rDC5F8 ammcrPFCPRNVVZmFSzvg3W3d/g9i2c5z7lkYHigRykqmezDGmqy7y5aWTttlOjJUMcq/ Zwqw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature; bh=A2avxIEXMxtUFGqdlfUaJw2dGK5fmozKEPD9FwObH70=; b=Ma5b3k18vfWgN8wY9AE0mp/g6+fvljwy0RRULjP5qE6i6HWGIjTmeFoJJWiY00kkhs IMeB3lafl5S6mkExWesYsJNQIU9Qshtp9bFNWH+GvGCjO8WGem2CoGWxjCms1HkFNIUq XPhsUMDtnq4HMMghqd2Hroc5JqvSFo9bc4MPUnfWqlRbTSucCeADPWeJZkL7B130lz3w 5NyTst4XavsUM+l7Xqs5uf9qoCTrdhjg+MSCIXY/G2yB5RF7Ng4HzlG/N4asr9VqQuJ7 aN4Fj01eVQJEQnU0zyYuaez1JF6anWF2bYz6E+Trta5HJVXkLLkkxmTxOaj3m+rBE2V0 tuUQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@163.com header.s=s110527 header.b=Q1sf1Rhk; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=163.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t26si1144965pgu.327.2019.04.18.00.26.49; Thu, 18 Apr 2019 00:27:15 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@163.com header.s=s110527 header.b=Q1sf1Rhk; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=163.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388147AbfDRHX7 (ORCPT + 99 others); Thu, 18 Apr 2019 03:23:59 -0400 Received: from m50-132.163.com ([123.125.50.132]:41047 "EHLO m50-132.163.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731317AbfDRHX6 (ORCPT ); Thu, 18 Apr 2019 03:23:58 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com; s=s110527; h=From:Subject:Date:Message-Id; bh=A2avxIEXMxtUFGqdlf UaJw2dGK5fmozKEPD9FwObH70=; b=Q1sf1Rhku4O9XOBto8Sjj0Gd2pxHy4Z5AH nuo2LuqplfA64do2+Ibq9t0wNt4N8TZPUeQikn3BFBPAOVhIxiAj0N2i1Y/HL6+f oGkN/EyRZCWC4TToyPMKbadPhzUEESDh1isKIGJIMzCN0KaaLvnp93wPg7pG2Z9o 1ZlnOmXlU= Received: from bp.localdomain (unknown [218.106.182.174]) by smtp2 (Coremail) with SMTP id DNGowACniR_TJbhcX+MIAA--.174S3; Thu, 18 Apr 2019 15:23:06 +0800 (CST) From: Pan Bian To: Alexander Shishkin , Maxime Coquelin , Alexandre Torgue Cc: linux-stm32@st-md-mailman.stormreply.com, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, Pan Bian Subject: stm class: Fix possible double free Date: Thu, 18 Apr 2019 15:22:58 +0800 Message-Id: <1555572178-73786-1-git-send-email-bianpan2016@163.com> X-Mailer: git-send-email 2.7.4 X-CM-TRANSID: DNGowACniR_TJbhcX+MIAA--.174S3 X-Coremail-Antispam: 1Uf129KBjvJXoW7try3Cw4DAr1kCr1kKw1ftFb_yoW8GF43pa 18Ga4Yyry8Krsrur1DJF18ZFy5GayIkw1ruFy0kwna9FZ8Z34vyryYya45CayDJrW8AFWa qFW3ArW8ur1UAw7anT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDUYxBIdaVFxhVjvjDU0xZFpf9x07UlkskUUUUU= X-Originating-IP: [218.106.182.174] X-CM-SenderInfo: held01tdqsiiqw6rljoofrz/xtbBZBKaclQHEfe2+AAAsl Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The function stm_register_device() calls put_device(&stm->dev) to release allocated memory (in stm_device_release()) on error paths. However, after that, the freed memory stm is released again, resulting in a double free bug. There is a similar issue in the function stm_source_register_device. This patch fixes these issues. Signed-off-by: Pan Bian --- drivers/hwtracing/stm/core.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/drivers/hwtracing/stm/core.c b/drivers/hwtracing/stm/core.c index c7ba8ac..cfb5c4d 100644 --- a/drivers/hwtracing/stm/core.c +++ b/drivers/hwtracing/stm/core.c @@ -886,8 +886,10 @@ int stm_register_device(struct device *parent, struct stm_data *stm_data, return -ENOMEM; stm->major = register_chrdev(0, stm_data->name, &stm_fops); - if (stm->major < 0) - goto err_free; + if (stm->major < 0) { + vfree(stm); + return err; + } device_initialize(&stm->dev); stm->dev.devt = MKDEV(stm->major, 0); @@ -933,8 +935,6 @@ int stm_register_device(struct device *parent, struct stm_data *stm_data, /* matches device_initialize() above */ put_device(&stm->dev); -err_free: - vfree(stm); return err; } @@ -1277,7 +1277,6 @@ int stm_source_register_device(struct device *parent, err: put_device(&src->dev); - kfree(src); return err; } -- 2.7.4