[PATCH] media: c8sectpfe: fix double free in configure_channels()
Patrice CHOTARD
patrice.chotard at foss.st.com
Thu Dec 9 23:39:49 PST 2021
Hi Dan
On 12/8/21 8:35 AM, Dan Carpenter wrote:
> The configure_channels() function has a double free because
> configure_memdma_and_inputblock() calls free_input_block() and then
> it's called again in the error handling code.
>
> Fixes: c5f5d0f99794 ("[media] c8sectpfe: STiH407/10 Linux DVB demux support")
> Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
> ---
> drivers/media/platform/sti/c8sectpfe/c8sectpfe-core.c | 8 +++-----
> 1 file changed, 3 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/media/platform/sti/c8sectpfe/c8sectpfe-core.c b/drivers/media/platform/sti/c8sectpfe/c8sectpfe-core.c
> index e1f520903248..7bb1384e4bad 100644
> --- a/drivers/media/platform/sti/c8sectpfe/c8sectpfe-core.c
> +++ b/drivers/media/platform/sti/c8sectpfe/c8sectpfe-core.c
> @@ -925,7 +925,6 @@ static int c8sectpfe_remove(struct platform_device *pdev)
> static int configure_channels(struct c8sectpfei *fei)
> {
> int index = 0, ret;
> - struct channel_info *tsin;
> struct device_node *child, *np = fei->dev->of_node;
>
> /* iterate round each tsin and configure memdma descriptor and IB hw */
> @@ -943,10 +942,9 @@ static int configure_channels(struct c8sectpfei *fei)
> return 0;
>
> err_unmap:
> - for (index = 0; index < fei->tsin_count; index++) {
> - tsin = fei->channel_data[index];
> - free_input_block(fei, tsin);
> - }
> + while (--index >= 0)
> + free_input_block(fei, fei->channel_data[index]);
> +
> return ret;
> }
>
>
Reviewed-by: Patrice Chotard <patrice.chotard at foss.st.com>
Thanks
Patrice
More information about the linux-arm-kernel
mailing list