platform/chrome: fix double-free in chromeos_laptop_prepare()
[ Upstream commit 6ad4194d6a1e1d11b285989cd648ef695b4a93c0 ]
If chromeos_laptop_prepare_i2c_peripherals() fails after allocating memory
for 'cros_laptop->i2c_peripherals', this memory is freed at 'err_out' label
and nonzero value is returned. Then chromeos_laptop_destroy() is called,
resulting in double-free error.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Rustam Subkhankulov <subkhankulov@ispras.ru>
Fixes: 5020cd29d8
("platform/chrome: chromeos_laptop - supply properties for ACPI devices")
Reviewed-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
Link: https://lore.kernel.org/r/20220813220843.2373004-1-subkhankulov@ispras.ru
Signed-off-by: Sasha Levin <sashal@kernel.org>
This commit is contained in:

committed by
Greg Kroah-Hartman

parent
5e25bfcd12
commit
84da5cdf43
@@ -718,6 +718,7 @@ static int __init
|
||||
chromeos_laptop_prepare_i2c_peripherals(struct chromeos_laptop *cros_laptop,
|
||||
const struct chromeos_laptop *src)
|
||||
{
|
||||
struct i2c_peripheral *i2c_peripherals;
|
||||
struct i2c_peripheral *i2c_dev;
|
||||
struct i2c_board_info *info;
|
||||
int i;
|
||||
@@ -726,17 +727,15 @@ chromeos_laptop_prepare_i2c_peripherals(struct chromeos_laptop *cros_laptop,
|
||||
if (!src->num_i2c_peripherals)
|
||||
return 0;
|
||||
|
||||
cros_laptop->i2c_peripherals = kmemdup(src->i2c_peripherals,
|
||||
src->num_i2c_peripherals *
|
||||
sizeof(*src->i2c_peripherals),
|
||||
GFP_KERNEL);
|
||||
if (!cros_laptop->i2c_peripherals)
|
||||
i2c_peripherals = kmemdup(src->i2c_peripherals,
|
||||
src->num_i2c_peripherals *
|
||||
sizeof(*src->i2c_peripherals),
|
||||
GFP_KERNEL);
|
||||
if (!i2c_peripherals)
|
||||
return -ENOMEM;
|
||||
|
||||
cros_laptop->num_i2c_peripherals = src->num_i2c_peripherals;
|
||||
|
||||
for (i = 0; i < cros_laptop->num_i2c_peripherals; i++) {
|
||||
i2c_dev = &cros_laptop->i2c_peripherals[i];
|
||||
for (i = 0; i < src->num_i2c_peripherals; i++) {
|
||||
i2c_dev = &i2c_peripherals[i];
|
||||
info = &i2c_dev->board_info;
|
||||
|
||||
error = chromeos_laptop_setup_irq(i2c_dev);
|
||||
@@ -754,16 +753,19 @@ chromeos_laptop_prepare_i2c_peripherals(struct chromeos_laptop *cros_laptop,
|
||||
}
|
||||
}
|
||||
|
||||
cros_laptop->i2c_peripherals = i2c_peripherals;
|
||||
cros_laptop->num_i2c_peripherals = src->num_i2c_peripherals;
|
||||
|
||||
return 0;
|
||||
|
||||
err_out:
|
||||
while (--i >= 0) {
|
||||
i2c_dev = &cros_laptop->i2c_peripherals[i];
|
||||
i2c_dev = &i2c_peripherals[i];
|
||||
info = &i2c_dev->board_info;
|
||||
if (info->properties)
|
||||
property_entries_free(info->properties);
|
||||
}
|
||||
kfree(cros_laptop->i2c_peripherals);
|
||||
kfree(i2c_peripherals);
|
||||
return error;
|
||||
}
|
||||
|
||||
|
Reference in New Issue
Block a user