Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp2678912ybz; Mon, 27 Apr 2020 02:24:04 -0700 (PDT) X-Google-Smtp-Source: APiQypKkIaK6wx1244tzbxEmi4rRisg0WCslSiKdgx9sXXTI80wtBUpmShg5eGxZN35BqV2nJ3Nh X-Received: by 2002:a17:906:f251:: with SMTP id gy17mr17403877ejb.369.1587979444248; Mon, 27 Apr 2020 02:24:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1587979444; cv=none; d=google.com; s=arc-20160816; b=I+LWhglSjnAX/kdLLJnrinHAK9swLqkS15EVYlLwN41O5j19K2hJ4L6PXU3mAGtf8Y HTDSC27QZWYwaLQJkYzppZf2CUDCZw9hXF1G1PwTnLO6odzVuUcszMidNqt3UvTnwlAH F2ePtGrhZN9DEWyVohlXtOdOfDIMW3uy5qY84Q7Q+ZyII4Pvm+2fLrDw+rVDD6+evBdQ qbPRoIJ2MSuMBobfWoss6nnOzceXHnFn4MzU60N260bn1tx1meNJwDJcN2cYOWAhmQL6 gc6Lj8pRRZg0qJtYExM+nqs1a2afjiIfq08Zf8SkK3Yuifirb056zWXOh4d/POwaWfu+ MPig== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=CsK+oOqNX14aZVSwwWWEmM3ywqc716+UFl5D5GXd3wQ=; b=o4+rd92M44pOhYp9TZ2eOK8XUeOv8pJIKdg2c9WxspZ1eHf4o99DzthRTvoHLDFwoK qtu+jESN+M5mxEQp3hl7oN7ghUCgsWaVMiDf3ygILDVznRqMMh1dB3ZOpedijDKgcpGF AnpK2XzTcHvcqT/7yR/5u3GZ63iNuwfaM79/wqImanYz7dOkbblDY6TBR93NGlqumUQe /UruGsnPrGJBF8pyxLiyWhDGpw5sDG4UALAP+fu7ahIug3zUAahBzXirofh9weUvVzG/ 20l2qgxNcC5zUIat2NSqLoW+J0uUgKqpgTX56YKhJA8SvFZtUwd2zOA3nh4Cf4s/N0nI iTxA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id dk14si8138046ejb.124.2020.04.27.02.23.41; Mon, 27 Apr 2020 02:24:04 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726830AbgD0JUO (ORCPT + 99 others); Mon, 27 Apr 2020 05:20:14 -0400 Received: from smtp13.smtpout.orange.fr ([80.12.242.135]:31132 "EHLO smtp.smtpout.orange.fr" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726434AbgD0JUO (ORCPT ); Mon, 27 Apr 2020 05:20:14 -0400 Received: from localhost.localdomain ([92.148.159.11]) by mwinf5d75 with ME id XlL5220090F2omL03lL5VT; Mon, 27 Apr 2020 11:20:12 +0200 X-ME-Helo: localhost.localdomain X-ME-Auth: Y2hyaXN0b3BoZS5qYWlsbGV0QHdhbmFkb28uZnI= X-ME-Date: Mon, 27 Apr 2020 11:20:12 +0200 X-ME-IP: 92.148.159.11 From: Christophe JAILLET To: b.zolnierkie@samsung.com, gregkh@linuxfoundation.org, kstewart@linuxfoundation.org, tglx@linutronix.de, arnd@arndb.de, jani.nikula@intel.com, akpm@osdl.org, adaplas@pol.net, rpurdie@rpsys.net Cc: dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org, Christophe JAILLET Subject: [PATCH] video: fbdev: w100fb: Fix a potential double free. Date: Mon, 27 Apr 2020 11:19:45 +0200 Message-Id: <20200427091945.57534-1-christophe.jaillet@wanadoo.fr> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Some memory is vmalloc'ed in the 'suspend' function and freed in the 'resume' function. However, it is also freed in the remove function. In order to avoid a potential double free, set the corresponding pointer to NULL once freed in the 'resume' function. Fixes: aac51f09d96a ("[PATCH] w100fb: Rewrite for platform independence") Signed-off-by: Christophe JAILLET --- drivers/video/fbdev/w100fb.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/video/fbdev/w100fb.c b/drivers/video/fbdev/w100fb.c index 2d6e2738b792..d96ab28f8ce4 100644 --- a/drivers/video/fbdev/w100fb.c +++ b/drivers/video/fbdev/w100fb.c @@ -588,6 +588,7 @@ static void w100fb_restore_vidmem(struct w100fb_par *par) memsize=par->mach->mem->size; memcpy_toio(remapped_fbuf + (W100_FB_BASE-MEM_WINDOW_BASE), par->saved_extmem, memsize); vfree(par->saved_extmem); + par->saved_extmem = NULL; } if (par->saved_intmem) { memsize=MEM_INT_SIZE; @@ -596,6 +597,7 @@ static void w100fb_restore_vidmem(struct w100fb_par *par) else memcpy_toio(remapped_fbuf + (W100_FB_BASE-MEM_WINDOW_BASE), par->saved_intmem, memsize); vfree(par->saved_intmem); + par->saved_intmem = NULL; } } -- 2.25.1