In gasket_enable_device, it calls gasket_interrupt_init().
Inside gasket_interrupt_init, interrupt_data is allocated via
kzalloc() and then is assigned to gasket_dev->interrupt_data.
If the later two kzalloc() failed, interrupt_data will be freed
and gasket_dev->interrupt_data will point to a freed memory.
After gasket_enable_device received the error, the freed
gasket_dev->interrupt_data is freed again in
gasket_interrupt_cleanup(gasket_dev).
My patch moves the "gasket_dev->interrupt_data = interrupt_data"
assignment behind the later kzalloc() all successd, to avoid
gasket_dev->interrupt_data pointing to a freed memory
Fixes: 80666096eb78f ("staging: gasket: core: remove static function forward declarations")
Signed-off-by: Lv Yunlong <lyl2019@xxxxxxxxxxxxxxxx>
---
drivers/staging/gasket/gasket_interrupt.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/staging/gasket/gasket_interrupt.c b/drivers/staging/gasket/gasket_interrupt.c
index 864342acfd86..d4993d7abb87 100644
--- a/drivers/staging/gasket/gasket_interrupt.c
+++ b/drivers/staging/gasket/gasket_interrupt.c
@@ -322,7 +322,6 @@ int gasket_interrupt_init(struct gasket_dev *gasket_dev)
interrupt_data = kzalloc(sizeof(*interrupt_data), GFP_KERNEL);
if (!interrupt_data)
return -ENOMEM;
- gasket_dev->interrupt_data = interrupt_data;
interrupt_data->name = driver_desc->name;
interrupt_data->type = driver_desc->interrupt_type;
interrupt_data->pci_dev = gasket_dev->pci_dev;
@@ -349,6 +348,8 @@ int gasket_interrupt_init(struct gasket_dev *gasket_dev)
return -ENOMEM;
}
+ gasket_dev->interrupt_data = interrupt_data;
+
switch (interrupt_data->type) {
case PCI_MSIX:
ret = gasket_interrupt_msix_init(interrupt_data);
--
2.25.1
