This is a note to let you know that I've just added the patch titled rpmsg: Avoid double-free in mtk_rpmsg_register_device to the 5.9-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: rpmsg-avoid-double-free-in-mtk_rpmsg_register_device.patch and it can be found in the queue-5.9 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. commit e71ffce3ee759e2fce111552bec42a514c86bec7 Author: Nicolas Boichat <drinkcat@xxxxxxxxxxxx> Date: Thu Sep 3 08:05:58 2020 +0800 rpmsg: Avoid double-free in mtk_rpmsg_register_device [ Upstream commit 231331b2dbd71487159a0400d9ffd967eb0d0e08 ] If rpmsg_register_device fails, it will call mtk_rpmsg_release_device which already frees mdev. Fixes: 7017996951fd ("rpmsg: add rpmsg support for mt8183 SCP.") Signed-off-by: Nicolas Boichat <drinkcat@xxxxxxxxxxxx> Reviewed-by: Mathieu Poirier <mathieu.poirier@xxxxxxxxxx> Link: https://lore.kernel.org/r/20200903080547.v3.1.I56cf27cd59f4013bd074dc622c8b8248b034a4cc@changeid Signed-off-by: Bjorn Andersson <bjorn.andersson@xxxxxxxxxx> Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx> diff --git a/drivers/rpmsg/mtk_rpmsg.c b/drivers/rpmsg/mtk_rpmsg.c index 83f2b8804ee98..96a17ec291401 100644 --- a/drivers/rpmsg/mtk_rpmsg.c +++ b/drivers/rpmsg/mtk_rpmsg.c @@ -200,7 +200,6 @@ static int mtk_rpmsg_register_device(struct mtk_rpmsg_rproc_subdev *mtk_subdev, struct rpmsg_device *rpdev; struct mtk_rpmsg_device *mdev; struct platform_device *pdev = mtk_subdev->pdev; - int ret; mdev = kzalloc(sizeof(*mdev), GFP_KERNEL); if (!mdev) @@ -219,13 +218,7 @@ static int mtk_rpmsg_register_device(struct mtk_rpmsg_rproc_subdev *mtk_subdev, rpdev->dev.parent = &pdev->dev; rpdev->dev.release = mtk_rpmsg_release_device; - ret = rpmsg_register_device(rpdev); - if (ret) { - kfree(mdev); - return ret; - } - - return 0; + return rpmsg_register_device(rpdev); } static void mtk_register_device_work_function(struct work_struct *register_work)