ANDROID: android-verity: Prevent double-freeing metadata
If extract_metadata() fails, it will free metadata in its own error
path, so it is safe to simply return the provided error value without
worrying about resource handling/releasing.
Moreover, if we simply return in extract_metadata()'s error path, we
can assume the thread of execution will only make it down into the
free_metadata: tag area sometime after extract_metadata()'s success,
in which case metadata will need to be freed without question.
Bug: 234030265
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Change-Id: I1bf42ff9ecef3eea26543526c6955d7823d45c43
diff --git a/drivers/md/dm-android-verity.c b/drivers/md/dm-android-verity.c
index 20e0593..2b0cc96 100644
--- a/drivers/md/dm-android-verity.c
+++ b/drivers/md/dm-android-verity.c
@@ -671,7 +671,7 @@
static int android_verity_ctr(struct dm_target *ti, unsigned argc, char **argv)
{
dev_t uninitialized_var(dev);
- struct android_metadata *metadata = NULL;
+ struct android_metadata *metadata;
int err = 0, i, mode;
char *key_id = NULL, *table_ptr, dummy, *target_device;
char *verity_table_args[VERITY_TABLE_ARGS + 2 + VERITY_TABLE_OPT_FEC_ARGS];
@@ -733,7 +733,7 @@
}
DMERR("Error while extracting metadata");
handle_error();
- goto free_metadata;
+ return err;
}
if (verity_enabled) {
@@ -864,11 +864,10 @@
}
free_metadata:
- if (metadata) {
- kfree(metadata->header);
- kfree(metadata->verity_table);
- }
+ kfree(metadata->header);
+ kfree(metadata->verity_table);
kfree(metadata);
+
return err;
}
