crypto: crypto4xx - fix double-free in crypto4xx_destroy_sdr
authorChristian Lamparter <chunkeey@gmail.com>
Thu, 31 Oct 2019 16:14:38 +0000 (17:14 +0100)
committerHerbert Xu <herbert@gondor.apana.org.au>
Fri, 8 Nov 2019 15:15:52 +0000 (23:15 +0800)
This patch fixes a crash that can happen during probe
when the available dma memory is not enough (this can
happen if the crypto4xx is built as a module).

The descriptor window mapping would end up being free'd
twice, once in crypto4xx_build_pdr() and the second time
in crypto4xx_destroy_sdr().

Fixes: 5d59ad6eea82 ("crypto: crypto4xx - fix crypto4xx_build_pdr, crypto4xx_build_sdr leak")
Cc: <stable@vger.kernel.org>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
drivers/crypto/amcc/crypto4xx_core.c

index de5e9352e920b021f702be5f015296a103e0e813..7d6b695c4ab3fb3deca7839fd972afd560944cdc 100644 (file)
@@ -365,12 +365,8 @@ static u32 crypto4xx_build_sdr(struct crypto4xx_device *dev)
                dma_alloc_coherent(dev->core_dev->device,
                        PPC4XX_SD_BUFFER_SIZE * PPC4XX_NUM_SD,
                        &dev->scatter_buffer_pa, GFP_ATOMIC);
-       if (!dev->scatter_buffer_va) {
-               dma_free_coherent(dev->core_dev->device,
-                                 sizeof(struct ce_sd) * PPC4XX_NUM_SD,
-                                 dev->sdr, dev->sdr_pa);
+       if (!dev->scatter_buffer_va)
                return -ENOMEM;
-       }
 
        for (i = 0; i < PPC4XX_NUM_SD; i++) {
                dev->sdr[i].ptr = dev->scatter_buffer_pa +