> -原始邮件-
> 发件人: "Dave Jiang"
> 发送时间: 2021-03-31 00:05:15 (星期三)
> 收件人: "Lv Yunlong" , vk...@kernel.org
> 抄送: dmaeng...@vger.kernel.org, linux-kernel@vger.kernel.org
> 主题: Re: [PATCH] dma: Fix a double free in dma_async_device_register
>
&g
On 3/30/2021 2:01 AM, Lv Yunlong wrote:
In the first list_for_each_entry() macro of dma_async_device_register,
it gets the chan from list and calls __dma_async_device_channel_register
(..,chan). We can see that chan->local is allocated by alloc_percpu() and
it is freed chan->local by free_percp
In the first list_for_each_entry() macro of dma_async_device_register,
it gets the chan from list and calls __dma_async_device_channel_register
(..,chan). We can see that chan->local is allocated by alloc_percpu() and
it is freed chan->local by free_percpu(chan->local) when
__dma_async_device_chann
In dma_async_device_register, in the loop
list_for_each_entry(chan, &device->channels, device_node).
If __dma_async_device_channel_register(device, chan) failed
and it colud free chan->local and return err.
But in the err_out branch, it will free chan->local again.
My patch sets chan->local to NUL
4 matches
Mail list logo