Mon, Feb 24, 2025 at 10:31:27AM +0100, arkadiusz.kubalewski@xxxxxxxxx wrote:
>Hi Jiasheng, many thanks for the patch!
>
>>From: Jiasheng Jiang <jiashengjiangcool@xxxxxxxxx>
>>Sent: Sunday, February 23, 2025 9:17 PM
>>
>>When src->freq_supported is not NULL but src->freq_supported_num is 0,
>>dst->freq_supported is equal to src->freq_supported.
>>In this case, if the subsequent kstrdup() fails, src->freq_supported may
>
>The src->freq_supported is not being freed in this function,
>you ment dst->freq_supported?
>But also it is not true.
>dst->freq_supported is being freed already, this patch adds only additional
>condition over it..
>From kfree doc: "If @object is NULL, no operation is performed.".
>
>>be freed without being set to NULL, potentially leading to a
>>use-after-free or double-free error.
>>
>
>kfree does not set to NULL from what I know. How would it lead to
>use-after-free/double-free?
>Why the one would use the memory after the function returns -ENOMEM?
>
>I don't think this patch is needed or resolves anything.
I'm sure it's not needed.
>
>Thank you!
>Arkadiusz
>
>>Fixes: 830ead5fb0c5 ("dpll: fix pin dump crash for rebound module")
>>Cc: <stable@xxxxxxxxxxxxxxx> # v6.8+
>>Signed-off-by: Jiasheng Jiang <jiashengjiangcool@xxxxxxxxx>
>>---
>> drivers/dpll/dpll_core.c | 3 ++-
>> 1 file changed, 2 insertions(+), 1 deletion(-)
>>
>>diff --git a/drivers/dpll/dpll_core.c b/drivers/dpll/dpll_core.c
>>index 32019dc33cca..7d147adf8455 100644
>>--- a/drivers/dpll/dpll_core.c
>>+++ b/drivers/dpll/dpll_core.c
>>@@ -475,7 +475,8 @@ static int dpll_pin_prop_dup(const struct
>>dpll_pin_properties *src,
>> err_panel_label:
>> kfree(dst->board_label);
>> err_board_label:
>>- kfree(dst->freq_supported);
>>+ if (src->freq_supported_num)
>>+ kfree(dst->freq_supported);
>> return -ENOMEM;
>> }
>>
>>--
>>2.25.1
>
