From: Jonathan Cameron <jic23@kernel.org>
To: Kefeng Wang <wangkefeng.wang@huawei.com>
Cc: Jonathan Cameron <Jonathan.Cameron@huawei.com>,
<linux-iio@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
Rodrigo Siqueira <rodrigosiqueiramelo@gmail.com>,
Hulk Robot <hulkci@huawei.com>
Subject: Re: [PATCH] iio: dummy_evgen: check iio_evgen in iio_dummy_evgen_free()
Date: Sat, 11 May 2019 09:58:55 +0100 [thread overview]
Message-ID: <20190511095855.1aaf056b@archlinux> (raw)
In-Reply-To: <20190509020447.20243-1-wangkefeng.wang@huawei.com>
On Thu, 9 May 2019 10:04:47 +0800
Kefeng Wang <wangkefeng.wang@huawei.com> wrote:
> if iio_dummy_evgen_create() fails, iio_evgen should be NULL, when call
> iio_evgen_release() to cleanup, it throws some warning and could cause
> double free.
>
> Reported-by: Hulk Robot <hulkci@huawei.com>
> Signed-off-by: Kefeng Wang <wangkefeng.wang@huawei.com>
Hi Kefeng,
I'm not seeing a path to be able to trigger this.
iio_dummy_evgen_create is called only in the module_init.
If it fails, then the init fails before the device
initialization call is made.
How would we then be running the device release call
in order to end up freeing this again?
So I think this is a false positive but perhaps there is
a path that I am missing.
Jonathan
> ---
> drivers/iio/dummy/iio_dummy_evgen.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/drivers/iio/dummy/iio_dummy_evgen.c b/drivers/iio/dummy/iio_dummy_evgen.c
> index c6033e341963..2327b5f52086 100644
> --- a/drivers/iio/dummy/iio_dummy_evgen.c
> +++ b/drivers/iio/dummy/iio_dummy_evgen.c
> @@ -58,6 +58,7 @@ static int iio_dummy_evgen_create(void)
> ret = irq_sim_init(&iio_evgen->irq_sim, IIO_EVENTGEN_NO);
> if (ret < 0) {
> kfree(iio_evgen);
> + iio_evgen = NULL;
> return ret;
> }
>
> @@ -118,6 +119,9 @@ EXPORT_SYMBOL_GPL(iio_dummy_evgen_get_regs);
>
> static void iio_dummy_evgen_free(void)
> {
> + if (!iio_evgen)
> + return;
> +
> irq_sim_fini(&iio_evgen->irq_sim);
> kfree(iio_evgen);
> }
next prev parent reply other threads:[~2019-05-11 8:59 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-09 2:04 [PATCH] iio: dummy_evgen: check iio_evgen in iio_dummy_evgen_free() Kefeng Wang
2019-05-11 8:58 ` Jonathan Cameron [this message]
[not found] ` <c691dfa4-4490-d643-e184-ea487bcbea94@huawei.com>
2019-07-28 9:51 ` Jonathan Cameron
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190511095855.1aaf056b@archlinux \
--to=jic23@kernel.org \
--cc=Jonathan.Cameron@huawei.com \
--cc=hulkci@huawei.com \
--cc=linux-iio@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=rodrigosiqueiramelo@gmail.com \
--cc=wangkefeng.wang@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.