crypto: marvell/octeontx - fix double free of ptr

Currently in the case where eq->src != req->ds, the allocation of
ptr is kfree'd at the end of the code block. However later on in
the case where enc is not null any of the error return paths that
return via the error handling return path end up performing an
erroneous second kfree of ptr.

Fix this by adding an error exit label error_free and only jump to
this when ptr needs kfree'ing thus avoiding the double free issue.

Addresses-Coverity: ("Double free")
Fixes: 10b4f09491bf ("crypto: marvell - add the Virtual Function driver for CPT")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

diff --git a/drivers/crypto/marvell/octeontx/otx_cptvf_algs.c b/drivers/crypto/marvell/octeontx/otx_cptvf_algs.c
index 946fb62..06202bc 100644 (file)
--- a/drivers/crypto/marvell/octeontx/otx_cptvf_algs.c
+++ b/drivers/crypto/marvell/octeontx/otx_cptvf_algs.c
@@ -1161,13 +1161,13 @@ static inline u32 create_aead_null_output_list(struct aead_request *req,
                                           inputlen);
                if (status != inputlen) {
                        status = -EINVAL;
-                       goto error;
+                       goto error_free;
                }
                status = sg_copy_from_buffer(req->dst, sg_nents(req->dst), ptr,
                                             inputlen);
                if (status != inputlen) {
                        status = -EINVAL;
-                       goto error;
+                       goto error_free;
                }
                kfree(ptr);
        }
@@ -1209,8 +1209,10 @@ static inline u32 create_aead_null_output_list(struct aead_request *req,
 
        req_info->outcnt = argcnt;
        return 0;
-error:
+
+error_free:
        kfree(ptr);
+error:
        return status;
 }