usb: dwc3: dbm: Fix double free in msm_dbm_probe

Memory allocated with devm_kzalloc is automatically
released by the kernel if the probe function fails with
an error code. Therefore, using kfree is unsafe since it
can lead to the Double-Free security issue. This change
removes kfree from msm_dbm_probe function to avoid double
free for dbm_data.

Change-Id: I512284d021ba89d5d04a6d498aa17489e37bff2e
Signed-off-by: Pratham Pratap <[email protected]>

Author: Pratham Pratap

drivers/usb/dwc3/dbm-1_4.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2014, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2012-2014, 2018 The Linux Foundation. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 and
@@ -372,7 +372,6 @@ static int msm_dbm_probe(struct platform_device *pdev)
 	struct device *dev = &pdev->dev;
 	struct dbm *dbm;
 	struct resource *res;
-	int ret = 0;
 
 	dbm_data = devm_kzalloc(dev, sizeof(*dbm_data), GFP_KERNEL);
 	if (!dbm_data)
@@ -382,24 +381,21 @@ static int msm_dbm_probe(struct platform_device *pdev)
 	res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
 	if (!res) {
 		dev_err(&pdev->dev, "missing memory base resource\n");
-		ret = -ENODEV;
-		goto free_dbm_data;
+		return -ENODEV;
 	}
 
 	dbm_data->base = devm_ioremap_nocache(&pdev->dev, res->start,
 		resource_size(res));
 	if (!dbm_data->base) {
 		dev_err(&pdev->dev, "ioremap failed\n");
-		ret = -ENOMEM;
-		goto free_dbm_data;
+		return -ENOMEM;
 	}
 
 
 	dbm = devm_kzalloc(dev, sizeof(*dbm), GFP_KERNEL);
 	if (!dbm) {
 		dev_err(&pdev->dev, "not enough memory\n");
-		ret = -ENOMEM;
-		goto free_dbm_data;
+		return -ENOMEM;
 	}
 
 	dbm->dev = dev;
@@ -418,20 +414,6 @@ static int msm_dbm_probe(struct platform_device *pdev)
 	platform_set_drvdata(pdev, dbm);
 
 	return usb_add_dbm(dbm);
-
-free_dbm_data:
-	kfree(dbm_data);
-	return ret;
-}
-
-static int msm_dbm_remove(struct platform_device *pdev)
-{
-	struct dbm *dbm = platform_get_drvdata(pdev);
-
-	kfree(dbm);
-	kfree(dbm_data);
-
-	return 0;
 }
 
 static const struct of_device_id msm_dbm_1_4_id_table[] = {
@@ -444,7 +426,6 @@ MODULE_DEVICE_TABLE(of, msm_dbm_1_4_id_table);
 
 static struct platform_driver msm_dbm_driver = {
 	.probe		= msm_dbm_probe,
-	.remove		= msm_dbm_remove,
 	.driver = {
 		.name	= "msm-usb-dbm-1-4",
 		.of_match_table = of_match_ptr(msm_dbm_1_4_id_table),

drivers/usb/dwc3/dbm-1_5.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2014, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2012-2015, 2018 The Linux Foundation. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 and
@@ -387,7 +387,6 @@ static int msm_dbm_probe(struct platform_device *pdev)
 	struct device_node *node = pdev->dev.of_node;
 	struct dbm *dbm;
 	struct resource *res;
-	int ret = 0;
 
 	dbm_data = devm_kzalloc(dev, sizeof(*dbm_data), GFP_KERNEL);
 	if (!dbm_data)
@@ -397,24 +396,21 @@ static int msm_dbm_probe(struct platform_device *pdev)
 	res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
 	if (!res) {
 		dev_err(&pdev->dev, "missing memory base resource\n");
-		ret = -ENODEV;
-		goto free_dbm_data;
+		return -ENODEV;
 	}
 
 	dbm_data->base = devm_ioremap_nocache(&pdev->dev, res->start,
 		resource_size(res));
 	if (!dbm_data->base) {
 		dev_err(&pdev->dev, "ioremap failed\n");
-		ret = -ENOMEM;
-		goto free_dbm_data;
+		return -ENOMEM;
 	}
 
 
 	dbm = devm_kzalloc(dev, sizeof(*dbm), GFP_KERNEL);
 	if (!dbm) {
 		dev_err(&pdev->dev, "not enough memory\n");
-		ret = -ENOMEM;
-		goto free_dbm_data;
+		return -ENOMEM;
 	}
 
 	dbm_data->dbm_reset_ep_after_lpm = of_property_read_bool(node,
@@ -437,20 +433,6 @@ static int msm_dbm_probe(struct platform_device *pdev)
 	platform_set_drvdata(pdev, dbm);
 
 	return usb_add_dbm(dbm);
-
-free_dbm_data:
-	kfree(dbm_data);
-	return ret;
-}
-
-static int msm_dbm_remove(struct platform_device *pdev)
-{
-	struct dbm *dbm = platform_get_drvdata(pdev);
-
-	kfree(dbm);
-	kfree(dbm_data);
-
-	return 0;
 }
 
 static const struct of_device_id msm_dbm_1_5_id_table[] = {
@@ -463,7 +445,6 @@ MODULE_DEVICE_TABLE(of, msm_dbm_1_5_id_table);
 
 static struct platform_driver msm_dbm_driver = {
 	.probe		= msm_dbm_probe,
-	.remove		= msm_dbm_remove,
 	.driver = {
 		.name	= "msm-usb-dbm-1-5",
 		.of_match_table = of_match_ptr(msm_dbm_1_5_id_table),