The function stm_register_device() calls put_device(&stm->dev) to
release allocated memory (in stm_device_release()) on error paths.
However, after that, the freed memory stm is released again, resulting
in a double free bug. There is a similar issue in the function
stm_source_register_device. This patch fixes these issues.
Signed-off-by: Pan Bian <bianpan2...@163.com>
---
drivers/hwtracing/stm/core.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/drivers/hwtracing/stm/core.c b/drivers/hwtracing/stm/core.c
index c7ba8ac..cfb5c4d 100644
--- a/drivers/hwtracing/stm/core.c
+++ b/drivers/hwtracing/stm/core.c
@@ -886,8 +886,10 @@ int stm_register_device(struct device *parent, struct
stm_data *stm_data,
return -ENOMEM;
stm->major = register_chrdev(0, stm_data->name, &stm_fops);
- if (stm->major < 0)
- goto err_free;
+ if (stm->major < 0) {
+ vfree(stm);
+ return err;
+ }
device_initialize(&stm->dev);
stm->dev.devt = MKDEV(stm->major, 0);
@@ -933,8 +935,6 @@ int stm_register_device(struct device *parent, struct
stm_data *stm_data,
/* matches device_initialize() above */
put_device(&stm->dev);
-err_free:
- vfree(stm);
return err;
}
@@ -1277,7 +1277,6 @@ int stm_source_register_device(struct device *parent,
err:
put_device(&src->dev);
- kfree(src);
return err;
}
--
2.7.4
