From 9e47d3f94dad2d93c4faa72a4d8eadf59b4324c0 Mon Sep 17 00:00:00 2001
From: Lee Jones <lee.jones@linaro.org>
Date: Tue, 7 Jun 2022 15:28:37 +0100
Subject: [PATCH] ANDROID: android-verity: Prevent double-freeing metadata

If extract_metadata() fails, it will free metadata in its own error
path, so it is safe to simply return the provided error value without
worrying about resource handling/releasing.

Moreover, if we simply return in extract_metadata()'s error path, we
can assume the thread of execution will only make it down into the
free_metadata: tag area sometime after extract_metadata()'s success,
in which case metadata will need to be freed without question.

Bug: 234030265
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Change-Id: I1bf42ff9ecef3eea26543526c6955d7823d45c43
---
 drivers/md/dm-android-verity.c | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/drivers/md/dm-android-verity.c b/drivers/md/dm-android-verity.c
index 20e05936551f..2b0cc969bb20 100644
--- a/drivers/md/dm-android-verity.c
+++ b/drivers/md/dm-android-verity.c
@@ -671,7 +671,7 @@ static int create_linear_device(struct dm_target *ti, dev_t dev,
 static int android_verity_ctr(struct dm_target *ti, unsigned argc, char **argv)
 {
 	dev_t uninitialized_var(dev);
-	struct android_metadata *metadata = NULL;
+	struct android_metadata *metadata;
 	int err = 0, i, mode;
 	char *key_id = NULL, *table_ptr, dummy, *target_device;
 	char *verity_table_args[VERITY_TABLE_ARGS + 2 + VERITY_TABLE_OPT_FEC_ARGS];
@@ -733,7 +733,7 @@ static int android_verity_ctr(struct dm_target *ti, unsigned argc, char **argv)
 		}
 		DMERR("Error while extracting metadata");
 		handle_error();
-		goto free_metadata;
+		return err;
 	}
 
 	if (verity_enabled) {
@@ -864,11 +864,10 @@ static int android_verity_ctr(struct dm_target *ti, unsigned argc, char **argv)
 	}
 
 free_metadata:
-	if (metadata) {
-		kfree(metadata->header);
-		kfree(metadata->verity_table);
-	}
+	kfree(metadata->header);
+	kfree(metadata->verity_table);
 	kfree(metadata);
+
 	return err;
 }