On Thu, 9 May 2019 10:04:47 +0800
Kefeng Wang <wangkefeng.wang@xxxxxxxxxx> wrote:
> if iio_dummy_evgen_create() fails, iio_evgen should be NULL, when call
> iio_evgen_release() to cleanup, it throws some warning and could cause
> double free.
>
> Reported-by: Hulk Robot <hulkci@xxxxxxxxxx>
> Signed-off-by: Kefeng Wang <wangkefeng.wang@xxxxxxxxxx>
Hi Kefeng,
I'm not seeing a path to be able to trigger this.
iio_dummy_evgen_create is called only in the module_init.
If it fails, then the init fails before the device
initialization call is made.
How would we then be running the device release call
in order to end up freeing this again?
So I think this is a false positive but perhaps there is
a path that I am missing.
Jonathan
> ---
> drivers/iio/dummy/iio_dummy_evgen.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/drivers/iio/dummy/iio_dummy_evgen.c b/drivers/iio/dummy/iio_dummy_evgen.c
> index c6033e341963..2327b5f52086 100644
> --- a/drivers/iio/dummy/iio_dummy_evgen.c
> +++ b/drivers/iio/dummy/iio_dummy_evgen.c
> @@ -58,6 +58,7 @@ static int iio_dummy_evgen_create(void)
> ret = irq_sim_init(&iio_evgen->irq_sim, IIO_EVENTGEN_NO);
> if (ret < 0) {
> kfree(iio_evgen);
> + iio_evgen = NULL;
> return ret;
> }
>
> @@ -118,6 +119,9 @@ EXPORT_SYMBOL_GPL(iio_dummy_evgen_get_regs);
>
> static void iio_dummy_evgen_free(void)
> {
> + if (!iio_evgen)
> + return;
> +
> irq_sim_fini(&iio_evgen->irq_sim);
> kfree(iio_evgen);
> }
