From nobody Sun Jun 14 07:38:16 2026
Received: from mail-pg1-f180.google.com (mail-pg1-f180.google.com
 [209.85.215.180])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id EDD2C3A7844
	for <linux-kernel@vger.kernel.org>; Fri,  1 May 2026 19:00:32 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.215.180
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1777662034; cv=none;
 b=GX3zqGVFSOOTZBVRjmmv3+DhVUW+x4G5SN9AUtviuZFlOd2EpPLELONJ0c9TcEDw/+z6LOQ/8S+gut7llDZ3pw7IzaP968Bvw0wc3jaupvs14Qgqcx8sc16DoPBFnPGFeov8UJvi+cQ3yFUz9AS8ohxHIFI6Xd66rkw0lBH1sdU=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1777662034; c=relaxed/simple;
	bh=J6D9KYDFjB2m0D4tZGtKNFNFDOx+6/Y/naS4pbb+Knw=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=DXLEUxl33anebeE0fo0Y5ezxSS+Jk+wkViSCsLZjozp8xPFey2cb1yrb0NDb1eoOWIrIfDSxafzTnQzZ93HcUrrVmz3HxvT9oGNtY9qikpq8wngzmKOGUNRC1z8k1idpeOcQerbdBF7WNI79miO9RHDaQx/nTa2SsunfsYvWSvA=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=XL1DKeSM; arc=none smtp.client-ip=209.85.215.180
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="XL1DKeSM"
Received: by mail-pg1-f180.google.com with SMTP id
 41be03b00d2f7-c795f441ff7so1327294a12.2
        for <linux-kernel@vger.kernel.org>;
 Fri, 01 May 2026 12:00:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1777662032; x=1778266832;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=vqfXSrQ/LcVyuHZiK19DFrhGz1VJgx9L+sEeQ6hZEtk=;
        b=XL1DKeSMzJhnJgu+XAvs7NLlKAVPPUNpND8U+YTPf9fUT2esF2h9b5pHCtvzKUFm+M
         qeH2gpgqtAXCrC6cIX1qjKRvvTTaJcEG/DgHxhgfh3Os65piDOrP7LAEUfI+0YcDOiEQ
         h7BPMhn6F77ZuwYwEoqQQ3inHS6PX/F/36x7bXm3J2Tko8qRjRbkesZuOtdYa/DOdz1S
         YgNar2Us/nZODFQRovEv+asGsTfOx8NbIsWmRFxN8snLAL1Yq7qi6G8gr7BcSspnISlW
         lSakbrAJPw7+1jjhAHNuin3qzfAa5MwtwnBOQwVwENsTRC8sFrZwfjWbuBcFNTGkZ2vN
         zYxw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1777662032; x=1778266832;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=vqfXSrQ/LcVyuHZiK19DFrhGz1VJgx9L+sEeQ6hZEtk=;
        b=Scko2jd/eU517V3+v1aYCJFjBdPSMS+ETdkNQJyn3tm/VEbrgpZJcAzfa1++z1Wdv/
         T4RdNHXVooo9P6PPMgFdv63ABr+huINEcsyaxS2kO5nP76Q8D15yt7k3zmJZ9cQeZz4V
         0lNjXgCtWwq+y9ntF9tu/Y/yUxujz4llog1XqZe+f3hCYqtpYDGDi95xagPzawJTgV+Q
         cOytGmze63uN4BzKs+LAxdA+f08X8PRtG1GG85240y4+/JuEPXmQu/254Mr9c4MEtepX
         nY73rOp7U4MnpypB6sJAvwD6mGuLiK4Br16NhfsZ2jVLvJiu+8/dEZuhT+EpyqYJSht8
         g/iw==
X-Forwarded-Encrypted: i=1;
 AFNElJ94C11iate5Brb+T3NGMLRtlxS650/bi4/9zXbpxvnTHNmkfH0PesQeunfTL+rtnn12RX7nwlGg25ywPkQ=@vger.kernel.org
X-Gm-Message-State: AOJu0Yyc8hpHJ7P7hJntBS07QXuluwkeremsUTjRpeEmIjhr63sRax8K
	G+zxHN8mlHyiLTHciTUAlq5Z9765fBJhdMoXCOy62c41Wfwd2nxSjDez
X-Gm-Gg: AeBDiesqMaJR3f5VcDyU2dLxGAtvEJddxENhE5BDV2ZFC7d4BY8D2kevFtE1+6G0500
	lw32p8298ZLsYOJ1m+xSq5cAqVXixVfRR9bdhHi20ZNIT+JdYvCtk+PPkW3ECLjrQnSO6M1WTTT
	T3A/QVlgrNT/w5tAiLafZ8Aa1BIDtaPPd6aiD6J1hDnFWo9BM5V7K8N0hwH+2nvP1P6GvzhQJzT
	bz8i+LcQRvMhvSKn1lIv6eQhNtpCMr3uqXgqWpZRglDfXUR/iyOZvZRX5XWH7crzkwf1b7vFlAV
	qButNEQXBu1nX0KBvepV+0yaiO1oN4AD+DnVOdf0E217IJiLvP5vBFPzmSXJuOw/9muYnADVuIQ
	T0E4gRmYdNr4+LX9jSFn36dR+ehTn6vOKwY1s0xeNYiOFfy46jff++G3h82cu8R0JLZIsBhaVA5
	2KDy9dilSIEK6elQsxKoeiQfw=
X-Received: by 2002:a05:6a00:883:b0:82f:6dad:7b75 with SMTP id
 d2e1a72fcca58-8352d25e95fmr398194b3a.33.1777662032246;
        Fri, 01 May 2026 12:00:32 -0700 (PDT)
Received: from lgs.. ([118.193.39.24])
        by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-83515b87869sm3543691b3a.61.2026.05.01.12.00.29
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 01 May 2026 12:00:31 -0700 (PDT)
From: Guangshuo Li <lgs201920130244@gmail.com>
To: "Rafael J. Wysocki" <rafael@kernel.org>,
	Viresh Kumar <viresh.kumar@linaro.org>,
	Manivannan Sadhasivam <mani@kernel.org>,
	linux-arm-msm@vger.kernel.org,
	linux-pm@vger.kernel.org,
	linux-kernel@vger.kernel.org
Cc: Guangshuo Li <lgs201920130244@gmail.com>,
	stable@vger.kernel.org
Subject: [PATCH] cpufreq: qcom-cpufreq-hw: Fix possible double free
Date: Sat,  2 May 2026 03:00:05 +0800
Message-ID: <20260501190005.504962-1-lgs201920130244@gmail.com>
X-Mailer: git-send-email 2.43.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

qcom_cpufreq.data is allocated with devm_kzalloc() in probe() as an
array of per-domain data. qcom_cpufreq_hw_cpu_init() stores a pointer to
one element of this array in policy->driver_data.

qcom_cpufreq_hw_cpu_exit() currently calls kfree() on policy->driver_data.
This is not valid because the memory is devm-managed. For the first
domain, this can free the devm-managed allocation while the devres entry
is still active, leading to a possible double free when the platform
device is later detached. For other domains, the pointer may refer to an
element inside the array rather than the allocation base.

Remove the kfree(data) call and let devres release qcom_cpufreq.data.

This issue was found by a static analysis tool I am developing.

Fixes: 054a3ef683a1 ("cpufreq: qcom-hw: Allocate qcom_cpufreq_data during p=
robe")
Cc: stable@vger.kernel.org
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
Reviewed-by: Zhongqiu Han <zhongqiu.han@oss.qualcomm.com>
---
 drivers/cpufreq/qcom-cpufreq-hw.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/drivers/cpufreq/qcom-cpufreq-hw.c b/drivers/cpufreq/qcom-cpufr=
eq-hw.c
index ea9a20d27b8f..ef19faedbfec 100644
--- a/drivers/cpufreq/qcom-cpufreq-hw.c
+++ b/drivers/cpufreq/qcom-cpufreq-hw.c
@@ -578,7 +578,6 @@ static void qcom_cpufreq_hw_cpu_exit(struct cpufreq_pol=
icy *policy)
 	dev_pm_opp_of_cpumask_remove_table(policy->related_cpus);
 	qcom_cpufreq_hw_lmh_exit(data);
 	kfree(policy->freq_table);
-	kfree(data);
 }
=20
 static void qcom_cpufreq_ready(struct cpufreq_policy *policy)
--=20
2.43.0