Merge tag 'regmap-fix-v5.15-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regmap

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Pull regmap fix from Mark Brown:
"This fixes a potential double free when handling an out of memory
error inserting a node into an rbtree regcache"

* tag 'regmap-fix-v5.15-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regmap:
regmap: Fix possible double-free in regcache_rbtree_exit()

Linus Torvalds 4 years ago 8685de2e eecd231a

+3 -4

1 changed file

expand all

drivers

base

regmap

regcache-rbtree.c

+3 -4

drivers/base/regmap/regcache-rbtree.c

··· 281 281 if (!blk) 282 282 return -ENOMEM; 283 283 284 + rbnode->block = blk; 285 + 284 286 if (BITS_TO_LONGS(blklen) > BITS_TO_LONGS(rbnode->blklen)) { 285 287 present = krealloc(rbnode->cache_present, 286 288 BITS_TO_LONGS(blklen) * sizeof(*present), 287 289 GFP_KERNEL); 288 - if (!present) { 289 - kfree(blk); 290 + if (!present) 290 291 return -ENOMEM; 291 - } 292 292 293 293 memset(present + BITS_TO_LONGS(rbnode->blklen), 0, 294 294 (BITS_TO_LONGS(blklen) - BITS_TO_LONGS(rbnode->blklen)) ··· 305 305 } 306 306 307 307 /* update the rbnode block, its size and the base register */ 308 - rbnode->block = blk; 309 308 rbnode->blklen = blklen; 310 309 rbnode->base_reg = base_reg; 311 310 rbnode->cache_present = present;