Fix cleanup in aocc_open() error case
When aoc_service_write() fails, aocc_open() wasn't removing the list entry it added to `s_open_files` and memory for that list entry gets freed, leading to a use-after-free list assertion (prev->next != entry) in a different file's aocc_release() -> list_del(). Also fix the `aocc_devices_lock` mutex getting double unlocked, and kref_get() and get_device() not getting cleaned up in the same error case. Bug: 175789448 Fixes: d8f688de ("usf: use non-blocking aoc_service_write.") Signed-off-by:Siqi Lin <siqilin@google.com> Change-Id: Ic802fae46d8bd8effb9d20d9e85ac143f6be89e8
Loading
Please sign in to comment