[PATCH] xhci_register: Fix double free on failure
drivers/core/device.c will call `device_free()` after xhci_register already frees the private device data. This can cause a crash later during the boot process, observed on aarch64 RPi4b as a synchronous exception. All callers of xhci_register use priv_auto, so this won't lead to memory leaks.
Signed-off-by: Richard Habeeb richard.habeeb@gmail.com ---
drivers/usb/host/xhci.c | 1 - 1 file changed, 1 deletion(-)
diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c index 9e33c5d855..5cacf0769e 100644 --- a/drivers/usb/host/xhci.c +++ b/drivers/usb/host/xhci.c @@ -1418,7 +1418,6 @@ int xhci_register(struct udevice *dev, struct xhci_hccr *hccr,
return 0; err: - free(ctrl); debug("%s: failed, ret=%d\n", __func__, ret); return ret; }
On Tue, Jul 25, 2023 at 3:45 AM Richard Habeeb richard.habeeb@gmail.com wrote:
drivers/core/device.c will call `device_free()` after xhci_register already frees the private device data. This can cause a crash later during the boot process, observed on aarch64 RPi4b as a synchronous exception. All callers of xhci_register use priv_auto, so this won't lead to memory leaks.
Signed-off-by: Richard Habeeb richard.habeeb@gmail.com
drivers/usb/host/xhci.c | 1 - 1 file changed, 1 deletion(-)
Reviewed-by: Bin Meng bmeng.cn@gmail.com
On Mon, 24 Jul 2023 at 13:45, Richard Habeeb richard.habeeb@gmail.com wrote:
drivers/core/device.c will call `device_free()` after xhci_register already frees the private device data. This can cause a crash later during the boot process, observed on aarch64 RPi4b as a synchronous exception. All callers of xhci_register use priv_auto, so this won't lead to memory leaks.
Signed-off-by: Richard Habeeb richard.habeeb@gmail.com
drivers/usb/host/xhci.c | 1 - 1 file changed, 1 deletion(-)
Reviewed-by: Simon Glass sjg@chromium.org
On 7/24/23 21:45, Richard Habeeb wrote:
drivers/core/device.c will call `device_free()` after xhci_register already frees the private device data. This can cause a crash later during the boot process, observed on aarch64 RPi4b as a synchronous exception. All callers of xhci_register use priv_auto, so this won't lead to memory leaks.
Signed-off-by: Richard Habeeb richard.habeeb@gmail.com
drivers/usb/host/xhci.c | 1 - 1 file changed, 1 deletion(-)
diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c index 9e33c5d855..5cacf0769e 100644 --- a/drivers/usb/host/xhci.c +++ b/drivers/usb/host/xhci.c @@ -1418,7 +1418,6 @@ int xhci_register(struct udevice *dev, struct xhci_hccr *hccr,
return 0; err:
- free(ctrl); debug("%s: failed, ret=%d\n", __func__, ret); return ret; }
The patch is corrupted (tabs in original source replaced by spaces).
Subject: tags should be 'usb: xhci:' .
Please make sure to use git send-email and look at previous commits for subject tags next time .
Both fixed and applied to usb/master , thanks.
Thanks, my apologies.
On Wed, Jul 26, 2023 at 10:01 PM Marek Vasut marex@denx.de wrote:
On 7/24/23 21:45, Richard Habeeb wrote:
drivers/core/device.c will call `device_free()` after xhci_register already frees the private device data. This can cause a crash later during the boot process, observed on aarch64 RPi4b as a synchronous exception. All callers of xhci_register use priv_auto, so this won't lead to memory leaks.
Signed-off-by: Richard Habeeb richard.habeeb@gmail.com
drivers/usb/host/xhci.c | 1 - 1 file changed, 1 deletion(-)
diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c index 9e33c5d855..5cacf0769e 100644 --- a/drivers/usb/host/xhci.c +++ b/drivers/usb/host/xhci.c @@ -1418,7 +1418,6 @@ int xhci_register(struct udevice *dev, struct xhci_hccr *hccr,
return 0; err:
- free(ctrl); debug("%s: failed, ret=%d\n", __func__, ret); return ret; }
The patch is corrupted (tabs in original source replaced by spaces).
Subject: tags should be 'usb: xhci:' .
Please make sure to use git send-email and look at previous commits for subject tags next time .
Both fixed and applied to usb/master , thanks.
participants (4)
-
Bin Meng -
Marek Vasut -
Richard Habeeb -
Simon Glass