[PATCH] coresight: platform: defer connection counter increment until alloc succeeds

James Clark james.clark at linaro.org
Tue May 19 05:46:16 PDT 2026 


On 11/05/2026 5:19 am, Jie Gan wrote:
> coresight_add_out_conn() increments nr_outconns before calling
> devm_krealloc_array() and again before devm_kmalloc(). If either
> allocation fails, the counter is already bumped while the corresponding
> array entry is NULL or uninitialized garbage.
> 
> coresight_add_in_conn() has the same problem with nr_inconns and
> devm_krealloc_array().
> 
> In both cases the probe returns -ENOMEM, which causes
> coresight_get_platform_data() to call coresight_release_platform_data()
> for cleanup. That function iterates up to nr_outconns (or nr_inconns)
> entries and dereferences each pointer unconditionally, hitting the NULL
> or garbage entry and panicking instead of failing gracefully.
> 
> Fix by moving the counter increments to after all allocations succeed,
> so the struct is always consistent on any error path.
> 
> Fixes: 3d4ff657e454 ("coresight: Dynamically add connections")
> Fixes: e3f4e68797a9 ("coresight: Store in-connections as well as out-connections")
> Signed-off-by: Jie Gan <jie.gan at oss.qualcomm.com>

Reviewed-by: James Clark <james.clark at linaro.org>

> ---
>   drivers/hwtracing/coresight/coresight-platform.c | 12 ++++++------
>   1 file changed, 6 insertions(+), 6 deletions(-)
> 
> diff --git a/drivers/hwtracing/coresight/coresight-platform.c b/drivers/hwtracing/coresight/coresight-platform.c
> index e337b6e2bf32..93c2d075cad6 100644
> --- a/drivers/hwtracing/coresight/coresight-platform.c
> +++ b/drivers/hwtracing/coresight/coresight-platform.c
> @@ -45,9 +45,8 @@ coresight_add_out_conn(struct device *dev,
>   		}
>   	}
>   
> -	pdata->nr_outconns++;
>   	pdata->out_conns =
> -		devm_krealloc_array(dev, pdata->out_conns, pdata->nr_outconns,
> +		devm_krealloc_array(dev, pdata->out_conns, pdata->nr_outconns + 1,
>   				    sizeof(*pdata->out_conns), GFP_KERNEL);
>   	if (!pdata->out_conns)
>   		return ERR_PTR(-ENOMEM);
> @@ -63,7 +62,8 @@ coresight_add_out_conn(struct device *dev,
>   	 * used right away.
>   	 */
>   	*conn = *new_conn;
> -	pdata->out_conns[pdata->nr_outconns - 1] = conn;
> +	pdata->out_conns[pdata->nr_outconns] = conn;
> +	pdata->nr_outconns++;
>   	return conn;
>   }
>   EXPORT_SYMBOL_GPL(coresight_add_out_conn);
> @@ -86,13 +86,13 @@ int coresight_add_in_conn(struct coresight_connection *out_conn)
>   			return 0;
>   		}
>   
> -	pdata->nr_inconns++;
>   	pdata->in_conns =
> -		devm_krealloc_array(dev, pdata->in_conns, pdata->nr_inconns,
> +		devm_krealloc_array(dev, pdata->in_conns, pdata->nr_inconns + 1,
>   				    sizeof(*pdata->in_conns), GFP_KERNEL);
>   	if (!pdata->in_conns)
>   		return -ENOMEM;
> -	pdata->in_conns[pdata->nr_inconns - 1] = out_conn;
> +	pdata->in_conns[pdata->nr_inconns] = out_conn;
> +	pdata->nr_inconns++;
>   	return 0;
>   }
>   EXPORT_SYMBOL_GPL(coresight_add_in_conn);
> 
> ---
> base-commit: e98d21c170b01ddef366f023bbfcf6b31509fa83
> change-id: 20260511-fix-ref-count-issue-7c44ce39700f
> 
> Best regards,

More information about the linux-arm-kernel mailing list