summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGuangshuo Li <lgs201920130244@gmail.com>2026-05-01 22:00:05 +0300
committerViresh Kumar <viresh.kumar@linaro.org>2026-05-05 08:07:00 +0300
commitbcb8889c4981fdde42d4fd2c29a77d510fe21da2 (patch)
tree54fa1b046fd7dbf944be04fe56a9fa3cef9d95ad
parent88e8df5904007ea53232237acf9ad02aeb992ece (diff)
downloadlinux-bcb8889c4981fdde42d4fd2c29a77d510fe21da2.tar.xz
cpufreq: qcom-cpufreq-hw: Fix possible double free
qcom_cpufreq.data is allocated with devm_kzalloc() in probe() as an array of per-domain data. qcom_cpufreq_hw_cpu_init() stores a pointer to one element of this array in policy->driver_data. qcom_cpufreq_hw_cpu_exit() currently calls kfree() on policy->driver_data. This is not valid because the memory is devm-managed. For the first domain, this can free the devm-managed allocation while the devres entry is still active, leading to a possible double free when the platform device is later detached. For other domains, the pointer may refer to an element inside the array rather than the allocation base. Remove the kfree(data) call and let devres release qcom_cpufreq.data. This issue was found by a static analysis tool I am developing. Fixes: 054a3ef683a1 ("cpufreq: qcom-hw: Allocate qcom_cpufreq_data during probe") Cc: stable@vger.kernel.org Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com> Reviewed-by: Zhongqiu Han <zhongqiu.han@oss.qualcomm.com> Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
-rw-r--r--drivers/cpufreq/qcom-cpufreq-hw.c1
1 files changed, 0 insertions, 1 deletions
diff --git a/drivers/cpufreq/qcom-cpufreq-hw.c b/drivers/cpufreq/qcom-cpufreq-hw.c
index ea9a20d27b8f..ef19faedbfec 100644
--- a/drivers/cpufreq/qcom-cpufreq-hw.c
+++ b/drivers/cpufreq/qcom-cpufreq-hw.c
@@ -578,7 +578,6 @@ static void qcom_cpufreq_hw_cpu_exit(struct cpufreq_policy *policy)
dev_pm_opp_of_cpumask_remove_table(policy->related_cpus);
qcom_cpufreq_hw_lmh_exit(data);
kfree(policy->freq_table);
- kfree(data);
}
static void qcom_cpufreq_ready(struct cpufreq_policy *policy)