From 229e12548da753c1e45f7d3c3b130a7c68ec0826 Mon Sep 17 00:00:00 2001
From: Mikael Olsson <mikael.olsson@arm.com>
Date: Thu, 22 Jun 2023 14:34:55 +0200
Subject: Fix double free in kernel driver probe clean up

If the probe function is past the NPU device registration when a failure
occurs, the device instance will be freed twice causing a crash. This
occurs because the device's release callback will free the device
instance when the device is unregistered and then the probe clean up
will attempt to free it again.

To resolve this, the probe will now only directly free the device
instance if the registration fails and otherwise let the device's
release callback handle it.

Change-Id: Iafe87e7ca44b91f8e0e2e870106a4b8c2a69dd8f
Signed-off-by: Mikael Olsson <mikael.olsson@arm.com>
---
 kernel/ethosu_device.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/kernel/ethosu_device.c b/kernel/ethosu_device.c
index 0b6fdfa..6987215 100644
--- a/kernel/ethosu_device.c
+++ b/kernel/ethosu_device.c
@@ -441,8 +441,11 @@ int ethosu_dev_init(struct rpmsg_device *rpdev,
 	/* Create device object */
 	ret = ethosu_device_register(&edev->dev, &rpdev->dev, edev,
 				     devt);
-	if (ret)
-		goto free_edev;
+	if (ret) {
+		kfree(edev);
+
+		return ret;
+	}
 
 	/* Continue with new device */
 	dev = &edev->dev;
@@ -506,9 +509,6 @@ deinit_mailbox:
 device_unregister:
 	device_unregister(dev);
 
-free_edev:
-	kfree(edev);
-
 	return ret;
 }
 
-- 
cgit v1.2.1