1. Patchew
  2. linux
  3. View series

[PATCH next] pinctrl: spacemit: fix double free of map

Dan Carpenter posted 1 patch 1 month ago 
drivers/pinctrl/spacemit/pinctrl-k1.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
[PATCH next] pinctrl: spacemit: fix double free of map
Posted by Dan Carpenter 1 month ago 
The map pointer is freed by pinctrl_utils_free_map().  It must not be a
devm_ pointer or it leads to a double free when the device is unloaded.

This is similar to a couple bugs Harshit Mogalapalli fixed earlier in
commits 3fd976afe974 ("pinctrl: nuvoton: fix a double free in
ma35_pinctrl_dt_node_to_map_func()") and 4575962aeed6 ("pinctrl: sophgo:
fix double free in cv1800_pctrl_dt_node_to_map()").

Fixes: a83c29e1d145 ("pinctrl: spacemit: add support for SpacemiT K1 SoC")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
---
 drivers/pinctrl/spacemit/pinctrl-k1.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/pinctrl/spacemit/pinctrl-k1.c b/drivers/pinctrl/spacemit/pinctrl-k1.c
index c75ea27b2344..a32579d73613 100644
--- a/drivers/pinctrl/spacemit/pinctrl-k1.c
+++ b/drivers/pinctrl/spacemit/pinctrl-k1.c
@@ -314,7 +314,7 @@ static int spacemit_pctrl_dt_node_to_map(struct pinctrl_dev *pctldev,
 	if (!grpnames)
 		return -ENOMEM;
 
-	map = devm_kcalloc(dev, ngroups * 2, sizeof(*map), GFP_KERNEL);
+	map = kcalloc(ngroups * 2, sizeof(*map), GFP_KERNEL);
 	if (!map)
 		return -ENOMEM;
 
-- 
2.45.2
Re: [PATCH next] pinctrl: spacemit: fix double free of map
Posted by Linus Walleij 4 weeks ago 
On Wed, Oct 23, 2024 at 10:39 AM Dan Carpenter <dan.carpenter@linaro.org> wrote:

> The map pointer is freed by pinctrl_utils_free_map().  It must not be a
> devm_ pointer or it leads to a double free when the device is unloaded.
>
> This is similar to a couple bugs Harshit Mogalapalli fixed earlier in
> commits 3fd976afe974 ("pinctrl: nuvoton: fix a double free in
> ma35_pinctrl_dt_node_to_map_func()") and 4575962aeed6 ("pinctrl: sophgo:
> fix double free in cv1800_pctrl_dt_node_to_map()").
>
> Fixes: a83c29e1d145 ("pinctrl: spacemit: add support for SpacemiT K1 SoC")
> Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

Patch applied!

Yours,
Linus Walleij
Re: [PATCH next] pinctrl: spacemit: fix double free of map
Posted by Yixun Lan 1 month ago 
On 11:39 Wed 23 Oct     , Dan Carpenter wrote:
> The map pointer is freed by pinctrl_utils_free_map().  It must not be a
> devm_ pointer or it leads to a double free when the device is unloaded.
> 
> This is similar to a couple bugs Harshit Mogalapalli fixed earlier in
> commits 3fd976afe974 ("pinctrl: nuvoton: fix a double free in
> ma35_pinctrl_dt_node_to_map_func()") and 4575962aeed6 ("pinctrl: sophgo:
> fix double free in cv1800_pctrl_dt_node_to_map()").
> 
> Fixes: a83c29e1d145 ("pinctrl: spacemit: add support for SpacemiT K1 SoC")
> Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Acked-by: Yixun Lan <dlan@gentoo.org>

thanks,

> ---
>  drivers/pinctrl/spacemit/pinctrl-k1.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/pinctrl/spacemit/pinctrl-k1.c b/drivers/pinctrl/spacemit/pinctrl-k1.c
> index c75ea27b2344..a32579d73613 100644
> --- a/drivers/pinctrl/spacemit/pinctrl-k1.c
> +++ b/drivers/pinctrl/spacemit/pinctrl-k1.c
> @@ -314,7 +314,7 @@ static int spacemit_pctrl_dt_node_to_map(struct pinctrl_dev *pctldev,
>  	if (!grpnames)
>  		return -ENOMEM;
>  
> -	map = devm_kcalloc(dev, ngroups * 2, sizeof(*map), GFP_KERNEL);
> +	map = kcalloc(ngroups * 2, sizeof(*map), GFP_KERNEL);
>  	if (!map)
>  		return -ENOMEM;
>  
> -- 
> 2.45.2

-- 
Yixun Lan (dlan)
Gentoo Linux Developer
GPG Key ID AABEFD55

Patchew 2.1-devel-b67e4c2

© 2016 - 2024 Red Hat, Inc.