| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 22 Mar 2021 06:08:36 -0700
From: Lv Yunlong <lyl2019@...l.ustc.edu.cn>
To: vkoul@...nel.org
Cc: dmaengine@...r.kernel.org, linux-kernel@...r.kernel.org,
Lv Yunlong <lyl2019@...l.ustc.edu.cn>
Subject: [PATCH] dma: Fix a double free in dma_async_device_register
In dma_async_device_register, in the loop
list_for_each_entry(chan, &device->channels, device_node).
If __dma_async_device_channel_register(device, chan) failed
and it colud free chan->local and return err.
But in the err_out branch, it will free chan->local again.
My patch sets chan->local to NULL after it is freed in
__dma_async_device_channel_register().
Signed-off-by: Lv Yunlong <lyl2019@...l.ustc.edu.cn>
---
drivers/dma/dmaengine.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/dma/dmaengine.c b/drivers/dma/dmaengine.c
index fe6a460c4373..af3ee288bc11 100644
--- a/drivers/dma/dmaengine.c
+++ b/drivers/dma/dmaengine.c
@@ -1086,6 +1086,7 @@ static int __dma_async_device_channel_register(struct dma_device *device,
kfree(chan->dev);
err_free_local:
free_percpu(chan->local);
+ chan->local = NULL;
return rc;
}
--
2.25.1
Powered by blists - more mailing lists