| From 6a2a1158128200b98d8f87701af9f8d93c797f04 Mon Sep 17 00:00:00 2001 |
| From: Sasha Levin <sashal@kernel.org> |
| Date: Fri, 2 Apr 2021 10:13:48 -0700 |
| Subject: crypto: qat - Fix a double free in adf_create_ring |
| |
| From: Lv Yunlong <lyl2019@mail.ustc.edu.cn> |
| |
| [ Upstream commit f7cae626cabb3350b23722b78fe34dd7a615ca04 ] |
| |
| In adf_create_ring, if the callee adf_init_ring() failed, the callee will |
| free the ring->base_addr by dma_free_coherent() and return -EFAULT. Then |
| adf_create_ring will goto err and the ring->base_addr will be freed again |
| in adf_cleanup_ring(). |
| |
| My patch sets ring->base_addr to NULL after the first freed to avoid the |
| double free. |
| |
| Fixes: a672a9dc872ec ("crypto: qat - Intel(R) QAT transport code") |
| Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn> |
| Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| drivers/crypto/qat/qat_common/adf_transport.c | 1 + |
| 1 file changed, 1 insertion(+) |
| |
| diff --git a/drivers/crypto/qat/qat_common/adf_transport.c b/drivers/crypto/qat/qat_common/adf_transport.c |
| index 5a7030acdc33..6195d76731c6 100644 |
| --- a/drivers/crypto/qat/qat_common/adf_transport.c |
| +++ b/drivers/crypto/qat/qat_common/adf_transport.c |
| @@ -171,6 +171,7 @@ static int adf_init_ring(struct adf_etr_ring_data *ring) |
| dev_err(&GET_DEV(accel_dev), "Ring address not aligned\n"); |
| dma_free_coherent(&GET_DEV(accel_dev), ring_size_bytes, |
| ring->base_addr, ring->dma_addr); |
| + ring->base_addr = NULL; |
| return -EFAULT; |
| } |
| |
| -- |
| 2.30.2 |
| |