Commit c2eecefe authored Apr 26, 2022 by Hangyu Hua Committed by Mathieu Poirier Apr 26, 2022

rpmsg: virtio: Fix possible double free in rpmsg_probe()



vch will be free in virtio_rpmsg_release_device() when
rpmsg_ns_register_device() fails. There is no need to call kfree() again.

Fix this by changing error path from free_vch to free_ctrldev.

Fixes: c486682a ("rpmsg: virtio: Register the rpmsg_char device")
Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
Tested-by: Arnaud Pouliquen <arnaud.pouliquen@foss.st.com>
Link: https://lore.kernel.org/r/20220426060536.15594-2-hbh25y@gmail.com


Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>

parent 1a358d35

drivers/rpmsg/virtio_rpmsg_bus.c

+2 −3

Original line number	Diff line number	Diff line
		@@ -973,7 +973,8 @@ static int rpmsg_probe(struct virtio_device *vdev)

		err = rpmsg_ns_register_device(rpdev_ns);
		if (err)
		goto free_vch;
		/* vch will be free in virtio_rpmsg_release_device() */
		goto free_ctrldev;
		}

		/*
		@@ -997,8 +998,6 @@ static int rpmsg_probe(struct virtio_device *vdev)

		return 0;

		free_vch:
		kfree(vch);
		free_ctrldev:
		rpmsg_virtio_del_ctrl_dev(rpdev_ctrl);
		free_coherent: