A double free bug was found in drivers/firmware/dmi-sysfs.c.
In the implementation of dmi_sysfs_register_handle, it calls
dmi_system_event_log() to initialize entry->child. If
kobject_init_and_add() failed, entry->child is freed. But
unfortunately, out_err branch in dmi_sysfs_register_handle
will freed entry->child twice!
Fixes: 925a1da7477fc ("firmware: Break out system_event_log in dmi-sysfs")
Signed-off-by: Lv Yunlong <lyl2...@mail.ustc.edu.cn>
---
drivers/firmware/dmi-sysfs.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/firmware/dmi-sysfs.c b/drivers/firmware/dmi-sysfs.c
index 8b8127fa8955..ad97bbd37206 100644
--- a/drivers/firmware/dmi-sysfs.c
+++ b/drivers/firmware/dmi-sysfs.c
@@ -631,7 +631,6 @@ static void __init dmi_sysfs_register_handle(const struct
dmi_header *dh,
return;
out_err:
- kobject_put(entry->child);
kobject_put(&entry->kobj);
return;
}
--
2.25.1
