[PATCH v2 1/2] clk: renesas: fix a double free on error

[PATCH v2 1/2] clk: renesas: fix a double free on error

[Dan Carpenter]

The "pll_clk" and "clock" pointers are allocated with devm_kzalloc() so
freeing them with kfree() will lead to a double free.  This would only
happen if probe failed, and the system is not bootable.

Fixes: ef3c613ccd68 ("clk: renesas: Add CPG core wrapper for RZ/G2L SoC")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
V2: Fix "pll_clk" as well.

 drivers/clk/renesas/renesas-rzg2l-cpg.c | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/drivers/clk/renesas/renesas-rzg2l-cpg.c b/drivers/clk/renesas/renesas-rzg2l-cpg.c
index 5009b9e48b13..7ba36f19896f 100644
--- a/drivers/clk/renesas/renesas-rzg2l-cpg.c
+++ b/drivers/clk/renesas/renesas-rzg2l-cpg.c
@@ -199,11 +199,7 @@ rzg2l_cpg_pll_clk_register(const struct cpg_core_clk *core,
 	pll_clk->priv = priv;
 	pll_clk->type = core->type;
 
-	clk = clk_register(NULL, &pll_clk->hw);
-	if (IS_ERR(clk))
-		kfree(pll_clk);
-
-	return clk;
+	return clk_register(NULL, &pll_clk->hw);
 }
 
 static struct clk
@@ -473,7 +469,6 @@ rzg2l_cpg_register_mod_clk(const struct rzg2l_mod_clk *mod,
 fail:
 	dev_err(dev, "Failed to register %s clock %s: %ld\n", "module",
 		mod->name, PTR_ERR(clk));
-	kfree(clock);
 }
 
 #define rcdev_to_priv(x)	container_of(x, struct rzg2l_cpg_priv, rcdev)
-- 
2.30.2

[PATCH 2/2] clk: renesas: Avoid mixing error pointers and NULL

[Dan Carpenter]

These functions accidentally return both error pointers and NULL when
there is an error.  It doesn't cause a problem but it is confusing and
seems unintentional.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
 drivers/clk/renesas/renesas-rzg2l-cpg.c | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/drivers/clk/renesas/renesas-rzg2l-cpg.c b/drivers/clk/renesas/renesas-rzg2l-cpg.c
index 7ba36f19896f..83b58e1cb78f 100644
--- a/drivers/clk/renesas/renesas-rzg2l-cpg.c
+++ b/drivers/clk/renesas/renesas-rzg2l-cpg.c
@@ -124,7 +124,7 @@ rzg2l_cpg_div_clk_register(const struct cpg_core_clk *core,
 						 core->flag, &priv->rmw_lock);
 
 	if (IS_ERR(clk_hw))
-		return NULL;
+		return ERR_CAST(clk_hw);
 
 	return clk_hw->clk;
 }
@@ -174,17 +174,14 @@ rzg2l_cpg_pll_clk_register(const struct cpg_core_clk *core,
 	struct clk_init_data init;
 	const char *parent_name;
 	struct pll_clk *pll_clk;
-	struct clk *clk;
 
 	parent = clks[core->parent & 0xffff];
 	if (IS_ERR(parent))
 		return ERR_CAST(parent);
 
 	pll_clk = devm_kzalloc(dev, sizeof(*pll_clk), GFP_KERNEL);
-	if (!pll_clk) {
-		clk = ERR_PTR(-ENOMEM);
-		return NULL;
-	}
+	if (!pll_clk)
+		return ERR_PTR(-ENOMEM);
 
 	parent_name = __clk_get_name(parent);
 	init.name = core->name;
-- 
2.30.2

RE: [PATCH v2 1/2] clk: renesas: fix a double free on error

[Prabhakar Mahadev Lad]

Hi Dan,

Thank you for the fix.

> -----Original Message-----
> From: Dan Carpenter <dan.carpenter@oracle.com>
> Sent: 17 June 2021 15:14
> To: Geert Uytterhoeven <geert+renesas@glider.be>
> Cc: Michael Turquette <mturquette@baylibre.com>; Stephen Boyd <sboyd@kernel.org>; Prabhakar Mahadev
> Lad <prabhakar.mahadev-lad.rj@bp.renesas.com>; Biju Das <biju.das.jz@bp.renesas.com>; linux-renesas-
> soc@vger.kernel.org; linux-clk@vger.kernel.org; kernel-janitors@vger.kernel.org
> Subject: [PATCH v2 1/2] clk: renesas: fix a double free on error
> 
> The "pll_clk" and "clock" pointers are allocated with devm_kzalloc() so freeing them with kfree() will
> lead to a double free.  This would only happen if probe failed, and the system is not bootable.
> 
> Fixes: ef3c613ccd68 ("clk: renesas: Add CPG core wrapper for RZ/G2L SoC")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> V2: Fix "pll_clk" as well.
> 
>  drivers/clk/renesas/renesas-rzg2l-cpg.c | 7 +------
>  1 file changed, 1 insertion(+), 6 deletions(-)
> 
Reviewed-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>

Also Reported-by tag,

Reported-by: kernel test robot <lkp@intel.com>

Cheers,
Prabhakar

> diff --git a/drivers/clk/renesas/renesas-rzg2l-cpg.c b/drivers/clk/renesas/renesas-rzg2l-cpg.c
> index 5009b9e48b13..7ba36f19896f 100644
> --- a/drivers/clk/renesas/renesas-rzg2l-cpg.c
> +++ b/drivers/clk/renesas/renesas-rzg2l-cpg.c
> @@ -199,11 +199,7 @@ rzg2l_cpg_pll_clk_register(const struct cpg_core_clk *core,
>  	pll_clk->priv = priv;
>  	pll_clk->type = core->type;
> 
> -	clk = clk_register(NULL, &pll_clk->hw);
> -	if (IS_ERR(clk))
> -		kfree(pll_clk);
> -
> -	return clk;
> +	return clk_register(NULL, &pll_clk->hw);
>  }
> 
>  static struct clk
> @@ -473,7 +469,6 @@ rzg2l_cpg_register_mod_clk(const struct rzg2l_mod_clk *mod,
>  fail:
>  	dev_err(dev, "Failed to register %s clock %s: %ld\n", "module",
>  		mod->name, PTR_ERR(clk));
> -	kfree(clock);
>  }
> 
>  #define rcdev_to_priv(x)	container_of(x, struct rzg2l_cpg_priv, rcdev)
> --
> 2.30.2

RE: [PATCH 2/2] clk: renesas: Avoid mixing error pointers and NULL

[Prabhakar Mahadev Lad]

Hi Dan,

Thank you for the patch.

> -----Original Message-----
> From: Dan Carpenter <dan.carpenter@oracle.com>
> Sent: 17 June 2021 15:15
> To: Geert Uytterhoeven <geert+renesas@glider.be>; Prabhakar Mahadev Lad <prabhakar.mahadev-
> lad.rj@bp.renesas.com>
> Cc: Michael Turquette <mturquette@baylibre.com>; Stephen Boyd <sboyd@kernel.org>; linux-renesas-
> soc@vger.kernel.org; linux-clk@vger.kernel.org; linux-kernel@vger.kernel.org; kernel-
> janitors@vger.kernel.org
> Subject: [PATCH 2/2] clk: renesas: Avoid mixing error pointers and NULL
> 
> These functions accidentally return both error pointers and NULL when there is an error.  It doesn't
> cause a problem but it is confusing and seems unintentional.
> 
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
>  drivers/clk/renesas/renesas-rzg2l-cpg.c | 9 +++------
>  1 file changed, 3 insertions(+), 6 deletions(-)
> 

Reviewed-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>

Cheers,
Prabhakar

> diff --git a/drivers/clk/renesas/renesas-rzg2l-cpg.c b/drivers/clk/renesas/renesas-rzg2l-cpg.c
> index 7ba36f19896f..83b58e1cb78f 100644
> --- a/drivers/clk/renesas/renesas-rzg2l-cpg.c
> +++ b/drivers/clk/renesas/renesas-rzg2l-cpg.c
> @@ -124,7 +124,7 @@ rzg2l_cpg_div_clk_register(const struct cpg_core_clk *core,
>  						 core->flag, &priv->rmw_lock);
> 
>  	if (IS_ERR(clk_hw))
> -		return NULL;
> +		return ERR_CAST(clk_hw);
> 
>  	return clk_hw->clk;
>  }
> @@ -174,17 +174,14 @@ rzg2l_cpg_pll_clk_register(const struct cpg_core_clk *core,
>  	struct clk_init_data init;
>  	const char *parent_name;
>  	struct pll_clk *pll_clk;
> -	struct clk *clk;
> 
>  	parent = clks[core->parent & 0xffff];
>  	if (IS_ERR(parent))
>  		return ERR_CAST(parent);
> 
>  	pll_clk = devm_kzalloc(dev, sizeof(*pll_clk), GFP_KERNEL);
> -	if (!pll_clk) {
> -		clk = ERR_PTR(-ENOMEM);
> -		return NULL;
> -	}
> +	if (!pll_clk)
> +		return ERR_PTR(-ENOMEM);
> 
>  	parent_name = __clk_get_name(parent);
>  	init.name = core->name;
> --
> 2.30.2

Re: [PATCH v2 1/2] clk: renesas: fix a double free on error

[Geert Uytterhoeven]

On Thu, Jun 17, 2021 at 4:14 PM Dan Carpenter <dan.carpenter@oracle.com> wrote:
> The "pll_clk" and "clock" pointers are allocated with devm_kzalloc() so
> freeing them with kfree() will lead to a double free.  This would only
> happen if probe failed, and the system is not bootable.
>
> Fixes: ef3c613ccd68 ("clk: renesas: Add CPG core wrapper for RZ/G2L SoC")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> V2: Fix "pll_clk" as well.

Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
i.e. will queue in renesas-clk for v5.15.

Gr{oetje,eeting}s,

                        Geert

-- 
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org

In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
                                -- Linus Torvalds

Re: [PATCH 2/2] clk: renesas: Avoid mixing error pointers and NULL

[Geert Uytterhoeven]

Hi Dan,

On Thu, Jun 17, 2021 at 4:15 PM Dan Carpenter <dan.carpenter@oracle.com> wrote:
> These functions accidentally return both error pointers and NULL when
> there is an error.  It doesn't cause a problem but it is confusing and
> seems unintentional.
>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
i.e. will queue in renesas-clk-for-v5.15.

> --- a/drivers/clk/renesas/renesas-rzg2l-cpg.c
> +++ b/drivers/clk/renesas/renesas-rzg2l-cpg.c
> @@ -124,7 +124,7 @@ rzg2l_cpg_div_clk_register(const struct cpg_core_clk *core,
>                                                  core->flag, &priv->rmw_lock);
>
>         if (IS_ERR(clk_hw))
> -               return NULL;
> +               return ERR_CAST(clk_hw);
>
>         return clk_hw->clk;
>  }
> @@ -174,17 +174,14 @@ rzg2l_cpg_pll_clk_register(const struct cpg_core_clk *core,
>         struct clk_init_data init;
>         const char *parent_name;
>         struct pll_clk *pll_clk;
> -       struct clk *clk;
>
>         parent = clks[core->parent & 0xffff];
>         if (IS_ERR(parent))
>                 return ERR_CAST(parent);
>
>         pll_clk = devm_kzalloc(dev, sizeof(*pll_clk), GFP_KERNEL);
> -       if (!pll_clk) {
> -               clk = ERR_PTR(-ENOMEM);
> -               return NULL;
> -       }
> +       if (!pll_clk)
> +               return ERR_PTR(-ENOMEM);

This part I already have, by virtue of
https://lore.kernel.org/r/1623896524-102058-1-git-send-email-yang.lee@linux.alibaba.com

Gr{oetje,eeting}s,

                        Geert

-- 
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org

In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
                                -- Linus Torvalds