| Message ID | CALn_uPiZ5VyO7af123ajTGA8hSAdLRTGH5pRZ6woxRMRjA9_NA@mail.gmail.com |
|---|---|
| State | New |
| Delegated to: | Marek Vasut |
| Headers | show |
| Series | xhci_register: Fix double free on failure | expand |
On Tue, Jul 25, 2023 at 3:45 AM Richard Habeeb <richard.habeeb@gmail.com> wrote: > > drivers/core/device.c will call `device_free()` after xhci_register > already frees the private device data. This can cause a crash later > during the boot process, observed on aarch64 RPi4b as a synchronous > exception. All callers of xhci_register use priv_auto, so this won't > lead to memory leaks. > > Signed-off-by: Richard Habeeb <richard.habeeb@gmail.com> > --- > > drivers/usb/host/xhci.c | 1 - > 1 file changed, 1 deletion(-) > Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
On Mon, 24 Jul 2023 at 13:45, Richard Habeeb <richard.habeeb@gmail.com> wrote: > > drivers/core/device.c will call `device_free()` after xhci_register > already frees the private device data. This can cause a crash later > during the boot process, observed on aarch64 RPi4b as a synchronous > exception. All callers of xhci_register use priv_auto, so this won't > lead to memory leaks. > > Signed-off-by: Richard Habeeb <richard.habeeb@gmail.com> > --- > > drivers/usb/host/xhci.c | 1 - > 1 file changed, 1 deletion(-) > Reviewed-by: Simon Glass <sjg@chromium.org>
On 7/24/23 21:45, Richard Habeeb wrote: > drivers/core/device.c will call `device_free()` after xhci_register > already frees the private device data. This can cause a crash later > during the boot process, observed on aarch64 RPi4b as a synchronous > exception. All callers of xhci_register use priv_auto, so this won't > lead to memory leaks. > > Signed-off-by: Richard Habeeb <richard.habeeb@gmail.com> > --- > > drivers/usb/host/xhci.c | 1 - > 1 file changed, 1 deletion(-) > > diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c > index 9e33c5d855..5cacf0769e 100644 > --- a/drivers/usb/host/xhci.c > +++ b/drivers/usb/host/xhci.c > @@ -1418,7 +1418,6 @@ int xhci_register(struct udevice *dev, struct > xhci_hccr *hccr, > > return 0; > err: > - free(ctrl); > debug("%s: failed, ret=%d\n", __func__, ret); > return ret; > } The patch is corrupted (tabs in original source replaced by spaces). Subject: tags should be 'usb: xhci:' . Please make sure to use git send-email and look at previous commits for subject tags next time . Both fixed and applied to usb/master , thanks.
Thanks, my apologies. On Wed, Jul 26, 2023 at 10:01 PM Marek Vasut <marex@denx.de> wrote: > On 7/24/23 21:45, Richard Habeeb wrote: > > drivers/core/device.c will call `device_free()` after xhci_register > > already frees the private device data. This can cause a crash later > > during the boot process, observed on aarch64 RPi4b as a synchronous > > exception. All callers of xhci_register use priv_auto, so this won't > > lead to memory leaks. > > > > Signed-off-by: Richard Habeeb <richard.habeeb@gmail.com> > > --- > > > > drivers/usb/host/xhci.c | 1 - > > 1 file changed, 1 deletion(-) > > > > diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c > > index 9e33c5d855..5cacf0769e 100644 > > --- a/drivers/usb/host/xhci.c > > +++ b/drivers/usb/host/xhci.c > > @@ -1418,7 +1418,6 @@ int xhci_register(struct udevice *dev, struct > > xhci_hccr *hccr, > > > > return 0; > > err: > > - free(ctrl); > > debug("%s: failed, ret=%d\n", __func__, ret); > > return ret; > > } > > The patch is corrupted (tabs in original source replaced by spaces). > > Subject: tags should be 'usb: xhci:' . > > Please make sure to use git send-email and look at previous commits for > subject tags next time . > > Both fixed and applied to usb/master , thanks. >
diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c index 9e33c5d855..5cacf0769e 100644 --- a/drivers/usb/host/xhci.c +++ b/drivers/usb/host/xhci.c @@ -1418,7 +1418,6 @@ int xhci_register(struct udevice *dev, struct xhci_hccr *hccr, return 0; err: - free(ctrl); debug("%s: failed, ret=%d\n", __func__, ret); return ret;
drivers/core/device.c will call `device_free()` after xhci_register already frees the private device data. This can cause a crash later during the boot process, observed on aarch64 RPi4b as a synchronous exception. All callers of xhci_register use priv_auto, so this won't lead to memory leaks. Signed-off-by: Richard Habeeb <richard.habeeb@gmail.com> --- drivers/usb/host/xhci.c | 1 - 1 file changed, 1 deletion(-) }