misc: fastrpc: Fix double free of 'buf' in error path

commit e8c276d upstream. smatch warning: drivers/misc/fastrpc.c:1926 fastrpc_req_mmap() error: double free of 'buf' In fastrpc_req_mmap() error path, the fastrpc buffer is freed in fastrpc_req_munmap_impl() if unmap is successful. But in the end, there is an unconditional call to fastrpc_buf_free(). So the above case triggers the double free of fastrpc buf. Fixes: 72fa6f7 ("misc: fastrpc: Rework fastrpc_req_munmap") Reviewed-by: Shuah Khan <[email protected]> Reviewed-by: Dan Carpenter <[email protected]> Reviewed-by: Srinivas Kandagatla <[email protected]> Signed-off-by: Sukrut Bellary <[email protected]> Signed-off-by: Srinivas Kandagatla <[email protected]> Cc: stable <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]>
xanmod · Sep 12, 2024 · f77dc8a · f77dc8a
1 parent 7d301dd
commit f77dc8a
Showing 1 changed file with 2 additions and 3 deletions.
diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c
@@ -1912,7 +1912,8 @@ static int fastrpc_req_mmap(struct fastrpc_user *fl, char __user *argp)
 				      &args[0]);
 	if (err) {
 		dev_err(dev, "mmap error (len 0x%08llx)\n", buf->size);
-		goto err_invoke;
+		fastrpc_buf_free(buf);
+		return err;
 	}
 
 	/* update the buffer to be able to deallocate the memory on the DSP */
@@ -1950,8 +1951,6 @@ static int fastrpc_req_mmap(struct fastrpc_user *fl, char __user *argp)
 
 err_assign:
 	fastrpc_req_munmap_impl(fl, buf);
-err_invoke:
-	fastrpc_buf_free(buf);
 
 	return err;
 }