Re: Re: [PATCH] dma: Fix a double free in dma_async_device_register

2021-03-30 Thread lyl2019
> -原始邮件- > 发件人: "Dave Jiang" > 发送时间: 2021-03-31 00:05:15 (星期三) > 收件人: "Lv Yunlong" , vk...@kernel.org > 抄送: dmaeng...@vger.kernel.org, linux-kernel@vger.kernel.org > 主题: Re: [PATCH] dma: Fix a double free in dma_async_device_register > &g

Re: [PATCH] dma: Fix a double free in dma_async_device_register

2021-03-30 Thread Dave Jiang
On 3/30/2021 2:01 AM, Lv Yunlong wrote: In the first list_for_each_entry() macro of dma_async_device_register, it gets the chan from list and calls __dma_async_device_channel_register (..,chan). We can see that chan->local is allocated by alloc_percpu() and it is freed chan->local by free_percp

[PATCH] dma: Fix a double free in dma_async_device_register

2021-03-30 Thread Lv Yunlong
In the first list_for_each_entry() macro of dma_async_device_register, it gets the chan from list and calls __dma_async_device_channel_register (..,chan). We can see that chan->local is allocated by alloc_percpu() and it is freed chan->local by free_percpu(chan->local) when __dma_async_device_chann

[PATCH] dma: Fix a double free in dma_async_device_register

2021-03-22 Thread Lv Yunlong
In dma_async_device_register, in the loop list_for_each_entry(chan, &device->channels, device_node). If __dma_async_device_channel_register(device, chan) failed and it colud free chan->local and return err. But in the err_out branch, it will free chan->local again. My patch sets chan->local to NUL