[PATCH] Staging:ipack/carriers/tpci200: Fix a double free in tpci200_pci_probe

[PATCH] Staging:ipack/carriers/tpci200: Fix a double free in tpci200_pci_probe

[Lv Yunlong]

In the out_err_bus_register error branch of tpci200_pci_probe,
tpci200->info->cfg_regs is freed by tpci200_uninstall()->
tpci200_unregister()->pci_iounmap(..,tpci200->info->cfg_regs)
in the first time.

But later, iounmap() is called to free tpci200->info->cfg_regs
again.

My patch sets tpci200->info->cfg_regs to NULL after tpci200_uninstall()
to avoid the double free.

Fixes: cea2f7cdff2af ("Staging: ipack/bridges/tpci200: Use the TPCI200 in big endian mode")
Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
---
 drivers/ipack/carriers/tpci200.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/ipack/carriers/tpci200.c b/drivers/ipack/carriers/tpci200.c
index ec71063fff76..e1822e87ec3d 100644
--- a/drivers/ipack/carriers/tpci200.c
+++ b/drivers/ipack/carriers/tpci200.c
@@ -596,8 +596,11 @@ static int tpci200_pci_probe(struct pci_dev *pdev,
 
 out_err_bus_register:
 	tpci200_uninstall(tpci200);
+	/* tpci200->info->cfg_regs is unmapped in tpci200_uninstall */
+	tpci200->info->cfg_regs = NULL;
 out_err_install:
-	iounmap(tpci200->info->cfg_regs);
+	if (tpci200->info->cfg_regs)
+		iounmap(tpci200->info->cfg_regs);
 out_err_ioremap:
 	pci_release_region(pdev, TPCI200_CFG_MEM_BAR);
 out_err_pci_request:
-- 
2.25.1

Re: [PATCH] Staging:ipack/carriers/tpci200: Fix a double free in tpci200_pci_probe

[Greg KH]

On Mon, Apr 26, 2021 at 08:35:47AM -0700, Lv Yunlong wrote:
> In the out_err_bus_register error branch of tpci200_pci_probe,
> tpci200->info->cfg_regs is freed by tpci200_uninstall()->
> tpci200_unregister()->pci_iounmap(..,tpci200->info->cfg_regs)
> in the first time.
> 
> But later, iounmap() is called to free tpci200->info->cfg_regs
> again.
> 
> My patch sets tpci200->info->cfg_regs to NULL after tpci200_uninstall()
> to avoid the double free.
> 
> Fixes: cea2f7cdff2af ("Staging: ipack/bridges/tpci200: Use the TPCI200 in big endian mode")
> Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
> ---
>  drivers/ipack/carriers/tpci200.c | 5 ++++-

This is not a staging driver, why does your subject line say that?

thanks,

greg k-h

Re: Re: [PATCH] Staging:ipack/carriers/tpci200: Fix a double free in tpci200_pci_probe

[lyl2019]

> -----原始邮件-----
> 发件人: "Greg KH" <gregkh@linuxfoundation.org>
> 发送时间: 2021-04-27 00:21:06 (星期二)
> 收件人: "Lv Yunlong" <lyl2019@mail.ustc.edu.cn>
> 抄送: siglesias@igalia.com, jens.taprogge@taprogge.org, industrypack-devel@lists.sourceforge.net, linux-kernel@vger.kernel.org
> 主题: Re: [PATCH] Staging:ipack/carriers/tpci200: Fix a double free in tpci200_pci_probe
> 
> On Mon, Apr 26, 2021 at 08:35:47AM -0700, Lv Yunlong wrote:
> > In the out_err_bus_register error branch of tpci200_pci_probe,
> > tpci200->info->cfg_regs is freed by tpci200_uninstall()->
> > tpci200_unregister()->pci_iounmap(..,tpci200->info->cfg_regs)
> > in the first time.
> > 
> > But later, iounmap() is called to free tpci200->info->cfg_regs
> > again.
> > 
> > My patch sets tpci200->info->cfg_regs to NULL after tpci200_uninstall()
> > to avoid the double free.
> > 
> > Fixes: cea2f7cdff2af ("Staging: ipack/bridges/tpci200: Use the TPCI200 in big endian mode")
> > Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
> > ---
> >  drivers/ipack/carriers/tpci200.c | 5 ++++-
> 
> This is not a staging driver, why does your subject line say that?
> 
> thanks,
> 
> greg k-h

I see the fixes cea2f7cdff2af has added the subsystem name in subject, so i guess
that the "Staging" may be an alias of this module. Sorry, i will name the subject
line more carefully in future.