pinctrl: core: delete incorrect free in pinctrl_enable()

Message ID	578fbe56-44e9-487c-ae95-29b695650f7c@moroto.mountain
State	New
Headers	show Received: from mail-wm1-f50.google.com (mail-wm1-f50.google.com [209.85.128.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 513C147A76 for <linux-gpio@vger.kernel.org>; Thu, 21 Mar 2024 06:38:45 +0000 (UTC) Date: Thu, 21 Mar 2024 09:38:39 +0300 From: Dan Carpenter <dan.carpenter@linaro.org> To: Tony Lindgren <tony@atomide.com> Cc: Linus Walleij <linus.walleij@linaro.org>, linux-gpio@vger.kernel.org, linux-kernel@vger.kernel.org, Peng Fan <peng.fan@nxp.com> Subject: [PATCH] pinctrl: core: delete incorrect free in pinctrl_enable() Message-ID: <578fbe56-44e9-487c-ae95-29b695650f7c@moroto.mountain> Precedence: bulk MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline
Series	pinctrl: core: delete incorrect free in pinctrl_enable() \| expand pinctrl: core: delete incorrect free in pinctrl_enable()

Message ID

578fbe56-44e9-487c-ae95-29b695650f7c@moroto.mountain

State

New

Headers

Date: Thu, 21 Mar 2024 09:38:39 +0300
From: Dan Carpenter <dan.carpenter@linaro.org>
To: Tony Lindgren <tony@atomide.com>
Cc: Linus Walleij <linus.walleij@linaro.org>, linux-gpio@vger.kernel.org,
	linux-kernel@vger.kernel.org, Peng Fan <peng.fan@nxp.com>
Subject: [PATCH] pinctrl: core: delete incorrect free in pinctrl_enable()
Message-ID: <578fbe56-44e9-487c-ae95-29b695650f7c@moroto.mountain>
Precedence: bulk
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Series

pinctrl: core: delete incorrect free in pinctrl_enable() | expand

Commit Message

Dan Carpenter March 21, 2024, 6:38 a.m. UTC

The "pctldev" struct is allocated in devm_pinctrl_register_and_init().
It's a devm_ managed pointer that is freed by devm_pinctrl_dev_release(),
so freeing it in pinctrl_enable() will lead to a double free.

The devm_pinctrl_dev_release() function frees the pindescs and destroys
the mutex as well.

Fixes: 6118714275f0 ("pinctrl: core: Fix pinctrl_register_and_init() with pinctrl_enable()")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
---
I spotted this during code review and have not tested it.

 drivers/pinctrl/core.c | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

Comments

Linus Walleij March 28, 2024, 11:05 p.m. UTC | #1

On Thu, Mar 21, 2024 at 7:38 AM Dan Carpenter <dan.carpenter@linaro.org> wrote:

> The "pctldev" struct is allocated in devm_pinctrl_register_and_init().
> It's a devm_ managed pointer that is freed by devm_pinctrl_dev_release(),
> so freeing it in pinctrl_enable() will lead to a double free.
>
> The devm_pinctrl_dev_release() function frees the pindescs and destroys
> the mutex as well.
>
> Fixes: 6118714275f0 ("pinctrl: core: Fix pinctrl_register_and_init() with pinctrl_enable()")
> Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

Great find!

Patch applied for fixes.

Thanks Dan,
Linus Walleij

diff --git a/drivers/pinctrl/core.c b/drivers/pinctrl/core.c
index 6649357637ff..cffeb869130d 100644
--- a/drivers/pinctrl/core.c
+++ b/drivers/pinctrl/core.c
@@ -2124,13 +2124,7 @@  int pinctrl_enable(struct pinctrl_dev *pctldev)
 
 	error = pinctrl_claim_hogs(pctldev);
 	if (error) {
-		dev_err(pctldev->dev, "could not claim hogs: %i\n",
-			error);
-		pinctrl_free_pindescs(pctldev, pctldev->desc->pins,
-				      pctldev->desc->npins);
-		mutex_destroy(&pctldev->mutex);
-		kfree(pctldev);
-
+		dev_err(pctldev->dev, "could not claim hogs: %i\n", error);
 		return error;
 	}