From: Dmitry Torokhov Date: Mon, 20 Jul 2015 23:02:49 +0000 (-0700) Subject: rtc: class: fix double free in rtc_register_device() error path X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=6706664d92ea841913d5fcfd06c290fbe6d33bd2;p=GitHub%2FLineageOS%2FG12%2Fandroid_kernel_amlogic_linux-4.9.git rtc: class: fix double free in rtc_register_device() error path Commit 59cca865f21e ("drivers/rtc/class.c: fix device_register() error handling") correctly noted that naked kfree() should not be used after failed device_register() call, however, while it added the needed put_device() it forgot to remove the original kfree() causing double-free. Cc: Vasiliy Kulikov Signed-off-by: Dmitry Torokhov Reviewed-by: Krzysztof Kozlowski Signed-off-by: Alexandre Belloni --- diff --git a/drivers/rtc/class.c b/drivers/rtc/class.c index ea2a315df6b7..eb82ec2a21bd 100644 --- a/drivers/rtc/class.c +++ b/drivers/rtc/class.c @@ -234,8 +234,9 @@ struct rtc_device *rtc_device_register(const char *name, struct device *dev, err = device_register(&rtc->dev); if (err) { + /* This will free both memory and the ID */ put_device(&rtc->dev); - goto exit_kfree; + goto exit; } rtc_dev_add_device(rtc); @@ -247,9 +248,6 @@ struct rtc_device *rtc_device_register(const char *name, struct device *dev, return rtc; -exit_kfree: - kfree(rtc); - exit_ida: ida_simple_remove(&rtc_ida, id);