From c1959066ac02bd123201352ff5a8c506469a1645 Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Mon, 4 Feb 2019 17:10:05 +0300 Subject: soc: fsl: dpio: Use after free in dpaa2_dpio_remove() The dpaa2_io_down(priv->io) call frees "priv->io" so I've shifted the code around a little bit to avoid the use after free. Fixes: 991e873223e9 ("soc: fsl: dpio: use a cpumask to identify which cpus are unused") Signed-off-by: Dan Carpenter Signed-off-by: Li Yang --- drivers/soc/fsl/dpio/dpio-driver.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'drivers/soc') diff --git a/drivers/soc/fsl/dpio/dpio-driver.c b/drivers/soc/fsl/dpio/dpio-driver.c index 2d4af32a0dec..a28799b62d53 100644 --- a/drivers/soc/fsl/dpio/dpio-driver.c +++ b/drivers/soc/fsl/dpio/dpio-driver.c @@ -220,12 +220,12 @@ static int dpaa2_dpio_remove(struct fsl_mc_device *dpio_dev) dev = &dpio_dev->dev; priv = dev_get_drvdata(dev); + cpu = dpaa2_io_get_cpu(priv->io); dpaa2_io_down(priv->io); dpio_teardown_irqs(dpio_dev); - cpu = dpaa2_io_get_cpu(priv->io); cpumask_set_cpu(cpu, cpus_unused_mask); err = dpio_open(dpio_dev->mc_io, 0, dpio_dev->obj_desc.id, -- cgit From bd3bd3b36df725645036748e58a8c35c8d2cbf91 Mon Sep 17 00:00:00 2001 From: Colin Ian King Date: Tue, 19 Feb 2019 14:05:17 +0000 Subject: soc: fsl: dpio: fix memory leak of a struct qbman on error exit path Currently the error check for a null reg leaks a struct qbman that was allocated earlier. Fix this by kfree'ing p on the error exit path. Signed-off-by: Colin Ian King Signed-off-by: Li Yang --- drivers/soc/fsl/dpio/qbman-portal.c | 1 + 1 file changed, 1 insertion(+) (limited to 'drivers/soc') diff --git a/drivers/soc/fsl/dpio/qbman-portal.c b/drivers/soc/fsl/dpio/qbman-portal.c index 0bddb85c0ae5..5a73397ae79e 100644 --- a/drivers/soc/fsl/dpio/qbman-portal.c +++ b/drivers/soc/fsl/dpio/qbman-portal.c @@ -180,6 +180,7 @@ struct qbman_swp *qbman_swp_init(const struct qbman_swp_desc *d) reg = qbman_read_register(p, QBMAN_CINH_SWP_CFG); if (!reg) { pr_err("qbman: the portal is not enabled!\n"); + kfree(p); return NULL; } -- cgit