diff mbox series

[v2,2/2] pci: endpoint: Fix kernel panic after put_device()

Message ID 20180226171617.10016-3-embedded24@evers-fischer.de
State Superseded
Headers show
Series pci: endpoint: Fix double free in pci_epf_create() | expand

Commit Message

Rolf Evers-Fischer Feb. 26, 2018, 5:16 p.m. UTC 
From: Rolf Evers-Fischer <rolf.evers.fischer@aptiv.com>

'put_device()' calls the relase function 'pci_epf_dev_release()',
which already frees 'epf->name' and 'epf'.

Therefore we must not free them again after 'put_device()'.

Signed-off-by: Rolf Evers-Fischer <rolf.evers.fischer@aptiv.com>
---
 drivers/pci/endpoint/pci-epf-core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Andy Shevchenko Feb. 26, 2018, 7:12 p.m. UTC | #1 
On Mon, Feb 26, 2018 at 7:16 PM, Rolf Evers-Fischer
<embedded24@evers-fischer.de> wrote:
> From: Rolf Evers-Fischer <rolf.evers.fischer@aptiv.com>
>
> 'put_device()' calls the relase function 'pci_epf_dev_release()',
> which already frees 'epf->name' and 'epf'.
>
> Therefore we must not free them again after 'put_device()'.

>  put_dev:
>         put_device(dev);
> -       kfree(epf->name);
> +       return ERR_PTR(ret);

Ouch, if it's double free (sounds like it is) it should be fixed up to
initial commit which brought that.
Thus, Fixes tag would be good to see.
diff mbox series

Patch

diff --git a/drivers/pci/endpoint/pci-epf-core.c b/drivers/pci/endpoint/pci-epf-core.c
index 1f2506f32bb9..1878a6776519 100644
--- a/drivers/pci/endpoint/pci-epf-core.c
+++ b/drivers/pci/endpoint/pci-epf-core.c
@@ -232,7 +232,7 @@  struct pci_epf *pci_epf_create(const char *name)
 
 put_dev:
 	put_device(dev);
-	kfree(epf->name);
+	return ERR_PTR(ret);
 
 free_epf:
 	kfree(epf);