git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Dan Carpenter <dan.carpenter@linaro.org>
	Mon, 10 Mar 2025 19:48:29 +0000 (22:48 +0300)
committer	Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
	Tue, 11 Mar 2025 15:23:57 +0000 (17:23 +0200)
commit	5b1122fc4995f308b21d7cfc64ef9880ac834d20
tree	0b95fafa247d0f56783d49181292653c0871f4e3	tree
parent	376a8c2a144397d9cf2a67d403dd64f4a7ff9104	commit \| diff

platform/x86/amd/pmf: fix cleanup in amd_pmf_init_smart_pc()

There are a few problems in this code:

First, if amd_pmf_tee_init() fails then the function returns directly
instead of cleaning up.  We cannot simply do a "goto error;" because
the amd_pmf_tee_init() cleanup calls tee_shm_free(dev->fw_shm_pool);
and amd_pmf_tee_deinit() calls it as well leading to a double free.
I have re-written this code to use an unwind ladder to free the
allocations.

Second, if amd_pmf_start_policy_engine() fails on every iteration though
the loop then the code calls amd_pmf_tee_deinit() twice which is also a
double free.  Call amd_pmf_tee_deinit() inside the loop for each failed
iteration.  Also on that path the error codes are not necessarily
negative kernel error codes.  Set the error code to -EINVAL.

There is a very subtle third bug which is that if the call to
input_register_device() in amd_pmf_register_input_device() fails then
we call input_unregister_device() on an input device that wasn't
registered.  This will lead to a reference counting underflow
because of the device_del(&dev->dev) in __input_unregister_device().
It's unlikely that anyone would ever hit this bug in real life.

Fixes: 376a8c2a1443 ("platform/x86/amd/pmf: Update PMF Driver for Compatibility with new PMF-TA")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://lore.kernel.org/r/232231fc-6a71-495e-971b-be2a76f6db4c@stanley.mountain
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>