[PATCH master 6/6] regmap-mmio: fix use-after-free

Mon Jun 12 05:53:31 PDT 2023

Once we free ctx, dereferencing it to return ERR_CAST(ctx->clk) is
verboten. Fix this by using an intermediary variable.

Signed-off-by: Ahmad Fatoum <a.fatoum at pengutronix.de>
---
 drivers/base/regmap/regmap-mmio.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/drivers/base/regmap/regmap-mmio.c b/drivers/base/regmap/regmap-mmio.c
index 6e6ae5ed54d4..4c6389689cd6 100644
--- a/drivers/base/regmap/regmap-mmio.c
+++ b/drivers/base/regmap/regmap-mmio.c
@@ -289,11 +289,15 @@ struct regmap *regmap_init_mmio_clk(struct device *dev,
 		return ERR_CAST(ctx);
 
 	if (clk_id) {
-		ctx->clk = clk_get(dev, clk_id);
-		if (IS_ERR(ctx->clk)) {
+		struct clk *clk;
+
+		clk = clk_get(dev, clk_id);
+		if (IS_ERR(clk)) {
 			kfree(ctx);
-			return ERR_CAST(ctx->clk);
+			return ERR_CAST(clk);
 		}
+
+		ctx->clk = clk;
 	}
 
 	return regmap_init(dev, &regmap_mmio, ctx, config);
-- 
2.39.2


