Received: by 2002:a05:6a10:17d3:0:0:0:0 with SMTP id hz19csp2560238pxb;
        Mon, 19 Apr 2021 08:26:03 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyYj5XwC1vzT0tDg48epCAb19PvkJ/Q+XNuOAtb8+AlaY53E0PF9z9o5SIfKLfvRNmTyieE
X-Received: by 2002:a05:6402:5203:: with SMTP id s3mr26493572edd.79.1618845963719;
        Mon, 19 Apr 2021 08:26:03 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1618845963; cv=none;
        d=google.com; s=arc-20160816;
        b=i7CW2RFd+gTshFrCeZ1wfEQe84FbyHznwaUrN9qPpq39hcZdQlO3PJuD8Ckr1afBCi
         iaTRqlMU6dLqEiQSWURZ5L+0AAaXVVgBJxsETve9c6Ba6NV/gqnBLpd4E+RwPDIWulYA
         KcTb0O5gI7ma0IuFHEdgxbJkXj44prxfb+iniXXD51F7/rz61YxdlNyd5e59aHdEGkqv
         cr9sFVECRi+hHurcS0OG65MCqClT5Ue0RKBfaAVLVJ/vFF30McvbxVXfSyZ3guh/VXka
         /2fxGTOySe6sbk/fBLdw4scPGx84MBWOLRe07ufcRQ8P/qKOFBqDSbGbgFjy1GCP7bkj
         iQZA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=hBt1Zl80WWq96ASHo7vi0wJn4ZIchfzUbcy8ZN39ng8=;
        b=0wj6eiLa494KTGzazcDxKVAHoVILZVc0FHp/T/m79iVy4wY7je+PmbrSwA/qm3tvrY
         kNbv7Ut8NOJIBeGj1Kw2ZiB2wWDlWP6UtgPFci3RvulE3WssaNvEcxcwqy/iSU/gOfRA
         HviWTrc4YW/bOUwiHWMkHhtEiy6tOvxtS81NulMbz+yPuFlHdrF3AeJBD5a69UiNEDzv
         lKqt8jgl9QYsXCbON4jonzfn4nI+K0kbK8Gw86Q8KXbltNbur3/o/icEJzt66c3RbgWY
         0LGujuayy6KGlcWHPVjRw+/fIDL9uYxfJTJlfdf9lJDdr6BPBDMufkoUlJ8ubJAHiYdJ
         u43w==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=uCxD5239;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id m15si12853568edj.170.2021.04.19.08.25.39;
        Mon, 19 Apr 2021 08:26:03 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=uCxD5239;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S238774AbhDSNSs (ORCPT <rfc822;list.andrew.ls@gmail.com>
        + 99 others); Mon, 19 Apr 2021 09:18:48 -0400
Received: from mail.kernel.org ([198.145.29.99]:46940 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S240624AbhDSNPv (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 19 Apr 2021 09:15:51 -0400
Received: by mail.kernel.org (Postfix) with ESMTPSA id E6994613D8;
        Mon, 19 Apr 2021 13:13:25 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1618838006;
        bh=5UGggfXQEozhhPBFqntgmeLebew8m3ioZg8MfzcGirA=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=uCxD5239QEh94EpzGT2Zk3MlSCYeatcyeehvf7oTfv6CsGBQDN4E6OeryLyHjWLQy
         bxq+Wk2ImTHJ7M+5gBHzjwoXTLgtt4cRhuGRndzWexfHAr11pVSS8uBuGcs3SwFQfx
         6msgkF9Ry/mFZEsymp7WfYZc25ReX+U3S90nZ/YE=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Lv Yunlong <lyl2019@mail.ustc.edu.cn>,
        Dave Jiang <dave.jiang@intel.com>,
        Vinod Koul <vkoul@kernel.org>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.10 010/103] dmaengine: Fix a double free in dma_async_device_register
Date:   Mon, 19 Apr 2021 15:05:21 +0200
Message-Id: <20210419130528.149218929@linuxfoundation.org>
X-Mailer: git-send-email 2.31.1
In-Reply-To: <20210419130527.791982064@linuxfoundation.org>
References: <20210419130527.791982064@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Lv Yunlong <lyl2019@mail.ustc.edu.cn>

[ Upstream commit ea45b6008f8095db0cc09ad6e03c7785c2986197 ]

In the first list_for_each_entry() macro of dma_async_device_register,
it gets the chan from list and calls __dma_async_device_channel_register
(..,chan). We can see that chan->local is allocated by alloc_percpu() and
it is freed chan->local by free_percpu(chan->local) when
__dma_async_device_channel_register() failed.

But after __dma_async_device_channel_register() failed, the caller will
goto err_out and freed the chan->local in the second time by free_percpu().

The cause of this problem is forget to set chan->local to NULL when
chan->local was freed in __dma_async_device_channel_register(). My
patch sets chan->local to NULL when the callee failed to avoid double free.

Fixes: d2fb0a0438384 ("dmaengine: break out channel registration")
Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
Reviewed-by: Dave Jiang <dave.jiang@intel.com>
Link: https://lore.kernel.org/r/20210331014458.3944-1-lyl2019@mail.ustc.edu.cn
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/dma/dmaengine.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/dma/dmaengine.c b/drivers/dma/dmaengine.c
index fe6a460c4373..af3ee288bc11 100644
--- a/drivers/dma/dmaengine.c
+++ b/drivers/dma/dmaengine.c
@@ -1086,6 +1086,7 @@ static int __dma_async_device_channel_register(struct dma_device *device,
 	kfree(chan->dev);
  err_free_local:
 	free_percpu(chan->local);
+	chan->local = NULL;
 	return rc;
 }
 
-- 
2.30.2