From 8b8cec5204a0f8d13e3716c698c1f4049421db84 Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Fri, 31 May 2024 16:15:34 +0800 Subject: [PATCH] pinctrl: core: delete incorrect free in pinctrl_enable() mainline inclusion from mainline-v6.9-rc7 commit 5038a66dad0199de60e5671603ea6623eb9e5c79 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9TM8C CVE: CVE-2024-36940 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5038a66dad0199de60e5671603ea6623eb9e5c79 -------------------------------- The "pctldev" struct is allocated in devm_pinctrl_register_and_init(). It's a devm_ managed pointer that is freed by devm_pinctrl_dev_release(), so freeing it in pinctrl_enable() will lead to a double free. The devm_pinctrl_dev_release() function frees the pindescs and destroys the mutex as well. Fixes: 6118714275f0 ("pinctrl: core: Fix pinctrl_register_and_init() with pinctrl_enable()") Signed-off-by: Dan Carpenter Message-ID: <578fbe56-44e9-487c-ae95-29b695650f7c@moroto.mountain> Signed-off-by: Linus Walleij Signed-off-by: Yang Yingliang --- drivers/pinctrl/core.c | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/drivers/pinctrl/core.c b/drivers/pinctrl/core.c index 1356d6a26d05..82b3cd6903c8 100644 --- a/drivers/pinctrl/core.c +++ b/drivers/pinctrl/core.c @@ -2098,13 +2098,7 @@ int pinctrl_enable(struct pinctrl_dev *pctldev) error = pinctrl_claim_hogs(pctldev); if (error) { - dev_err(pctldev->dev, "could not claim hogs: %i\n", - error); - pinctrl_free_pindescs(pctldev, pctldev->desc->pins, - pctldev->desc->npins); - mutex_destroy(&pctldev->mutex); - kfree(pctldev); - + dev_err(pctldev->dev, "could not claim hogs: %i\n", error); return error; } -- Gitee