Received: by 2002:a25:7ec1:0:0:0:0:0 with SMTP id z184csp3216691ybc;
        Mon, 25 Nov 2019 10:48:21 -0800 (PST)
X-Google-Smtp-Source: APXvYqzo10Di14VELJOcMGhoTSwNM/mZRdmTYxeY3e3AefLyFD6KKWSF7DTsIlgYADQWgxdgC2RZ
X-Received: by 2002:a05:6402:14d8:: with SMTP id f24mr20388743edx.227.1574707701280;
        Mon, 25 Nov 2019 10:48:21 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1574707701; cv=none;
        d=google.com; s=arc-20160816;
        b=0uUsiAsK9uxE5cbOl2hXahPT8+7LrBGxyKCJ+02LiJeAZRP6WPiCSMLmp6Z07f8y7x
         e/fR56K8X9GNJ30fH+hKhdZH8C/PyD8WE2VmYg/G6/NN1NmoYk0EG8Z7xLVWkMKkXGk/
         RI7jUKvqdOPQgN0PttDhggU/yV/OfXrOO3QVD+0b5ApC5pWxUpk46azaduJ24m3QYR1m
         hgWMXOqqw7G+Vh4m2Ff+LCNaInmYgM1BD4KZtHpBHC50HsTu52rHlyXpb0OgNKwDnwip
         zYxvt6arbzkMGTzP8hTrfsGDZL7S75JuqaOAjLPKDxW4w+YM3wWeQqyeoy7+LVEKNTvl
         qhBQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from;
        bh=kkcxLbXxGQaocCRm/eLN1bA5P/MWEzVu0Oop/6nfzAs=;
        b=AKz539LRVaRvQDHeEcGvk5S5CrqPV1iphvxtNdXcaTXtRXwDhgkPGYsfl4TP3TVHFY
         VoDSfwlMzt5eGDT8pNQ59+elI2GoswwEwbxB8PffRuOrbfPeY0FtTrUNauKiUjtCUcLk
         8F76KbBTXIoFV4kyXp0NZCdx10nXI8Hv9FdolEUJE0hP6gnY4LJwDYfvvgytuNpij+rb
         mhO1EfH5RF0Jf1JHj+b3WiVlmZd5ke/J2PiSJ/RQC9wE7HU56u35hmKSCP3BRX1uhIKV
         ZG47NKd6dFJHh6pgyVapBmQjFXpwA4DB8yQbogtkOrZRrGXeckutBZVCJyuRhqmXHEaQ
         WoQw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id g11si5124910ejd.233.2019.11.25.10.47.57;
        Mon, 25 Nov 2019 10:48:21 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728684AbfKYPym (ORCPT <rfc822;1990.zhangzhen@gmail.com>
        + 99 others); Mon, 25 Nov 2019 10:54:42 -0500
Received: from out30-130.freemail.mail.aliyun.com ([115.124.30.130]:44654 "EHLO
        out30-130.freemail.mail.aliyun.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1728243AbfKYPym (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 25 Nov 2019 10:54:42 -0500
X-Alimail-AntiSpam: AC=PASS;BC=-1|-1;BR=01201311R401e4;CH=green;DM=||false|;DS=||;FP=0|-1|-1|-1|0|-1|-1|-1;HT=e01e07487;MF=wenyang@linux.alibaba.com;NM=1;PH=DS;RN=5;SR=0;TI=SMTPD_---0Tj4pjJn_1574697251;
Received: from localhost(mailfrom:wenyang@linux.alibaba.com fp:SMTPD_---0Tj4pjJn_1574697251)
          by smtp.aliyun-inc.com(127.0.0.1);
          Mon, 25 Nov 2019 23:54:29 +0800
From:   Wen Yang <wenyang@linux.alibaba.com>
To:     Sudeep Holla <sudeep.holla@arm.com>
Cc:     Arnd Bergmann <arnd@arndb.de>,
        Wen Yang <wenyang@linux.alibaba.com>,
        linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org
Subject: [PATCH] firmware: arm_scmi: avoid double free in error flow
Date:   Mon, 25 Nov 2019 23:54:09 +0800
Message-Id: <20191125155409.9948-1-wenyang@linux.alibaba.com>
X-Mailer: git-send-email 2.23.0
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

If device_register() fails, both put_device() and kfree()
are called, ending with a double free of the scmi_dev.

Calling kfree() is needed only when a failure happens between the
allocation of the scmi_dev and its registration, so move it to
there and remove it from the error flow.

Fixes: 46edb8d1322c ("firmware: arm_scmi: provide the mandatory device release callback")
Signed-off-by: Wen Yang <wenyang@linux.alibaba.com>
Cc: Sudeep Holla <sudeep.holla@arm.com>
Cc: linux-arm-kernel@lists.infradead.org
Cc: linux-kernel@vger.kernel.org
---
 drivers/firmware/arm_scmi/bus.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/firmware/arm_scmi/bus.c b/drivers/firmware/arm_scmi/bus.c
index 92f843ea..7a30952 100644
--- a/drivers/firmware/arm_scmi/bus.c
+++ b/drivers/firmware/arm_scmi/bus.c
@@ -135,8 +135,10 @@ struct scmi_device *
 		return NULL;
 
 	id = ida_simple_get(&scmi_bus_id, 1, 0, GFP_KERNEL);
-	if (id < 0)
-		goto free_mem;
+	if (id < 0) {
+		kfree(scmi_dev);
+		return NULL;
+	}
 
 	scmi_dev->id = id;
 	scmi_dev->protocol_id = protocol;
@@ -154,8 +156,6 @@ struct scmi_device *
 put_dev:
 	put_device(&scmi_dev->dev);
 	ida_simple_remove(&scmi_bus_id, id);
-free_mem:
-	kfree(scmi_dev);
 	return NULL;
 }
 
-- 
1.8.3.1