From patchwork Thu Jun 6 17:10:08 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jiang Liu X-Patchwork-Id: 249504 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 4868E2C007E for ; Fri, 7 Jun 2013 03:12:46 +1000 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753472Ab3FFRMe (ORCPT ); Thu, 6 Jun 2013 13:12:34 -0400 Received: from mail-pb0-f41.google.com ([209.85.160.41]:40214 "EHLO mail-pb0-f41.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751693Ab3FFRMd (ORCPT ); Thu, 6 Jun 2013 13:12:33 -0400 Received: by mail-pb0-f41.google.com with SMTP id rp16so1310pbb.0 for ; Thu, 06 Jun 2013 10:12:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:date:message-id:x-mailer:in-reply-to:references; bh=vuegbk/jbVl2kQzKzhD0QmiTSrBWNd0VCUNPSmC5SM4=; b=bnVLS7khKh2ynY+X+Kx3xVwtY9cYK56FYw0rBYfOrlEHBnrT9nj6K8dWPI7e1TcHFz ez0dQU3Dmm/BggzgxZnUky2Jhjl//GE07AZAQASjjXYmqG0UH9qjmMU/C1ugEMm7M0No jHG/+LDg1M3W7DWK5IFahNupbr7t5/fS3RxeWUodXx1LTVO2Eo/YYnBBzsXsQfmKTnat oKcwh8LL6BVGZr7y2susEZoeaQwCX/SxhFD8IosAjNZgQXT0g+Z3nfnaKds+TGJ71qIK Lr6cQJzkPO2+trZ6b7lsgBbEkPSuW1GGE5ise5LRXyrgXn1emzsaiUvyw1tvrzkqClv+ ajtA== X-Received: by 10.69.3.65 with SMTP id bu1mr39377395pbd.107.1370538753242; Thu, 06 Jun 2013 10:12:33 -0700 (PDT) Received: from localhost.localdomain ([114.250.82.86]) by mx.google.com with ESMTPSA id ya4sm73611276pbb.24.2013.06.06.10.12.30 for (version=TLSv1.1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 06 Jun 2013 10:12:32 -0700 (PDT) From: Jiang Liu To: Bjorn Helgaas Cc: Jiang Liu , Yijing Wang , linux-pci@vger.kernel.org Subject: [PATCH 1/2] PCI: fix a double free issue in pci_create_root_bus() error recovery path Date: Fri, 7 Jun 2013 01:10:08 +0800 Message-Id: <1370538609-28903-1-git-send-email-jiang.liu@huawei.com> X-Mailer: git-send-email 1.8.1.2 In-Reply-To: References: Sender: linux-pci-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-pci@vger.kernel.org On pci_create_root_bus() error recovery path, device_unregister(&bridge->dev) should have freed memory used by bridge, so we shouldn't call kfree(bridge) again, it's a double free. On the other hand, we should not use kfree() to free memory used by device object once we have invoked device_register() because it's reference-counted. Signed-off-by: Jiang Liu Cc: stable@vger.kernel.org --- Hi Bjorn, This is the patch to fix the kfree() issue, it may be a material for stable trees. Thanks! Gerry --- drivers/pci/probe.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c index 8882b5d..2f81a0a 100644 --- a/drivers/pci/probe.c +++ b/drivers/pci/probe.c @@ -1729,12 +1729,16 @@ struct pci_bus *pci_create_root_bus(struct device *parent, int bus, bridge->dev.release = pci_release_bus_bridge_dev; dev_set_name(&bridge->dev, "pci%04x:%02x", pci_domain_nr(b), bus); error = pcibios_root_bridge_prepare(bridge); - if (error) - goto bridge_dev_reg_err; + if (error) { + kfree(bridge); + goto err_out; + } error = device_register(&bridge->dev); - if (error) - goto bridge_dev_reg_err; + if (error) { + kfree(bridge); + goto err_out; + } b->bridge = get_device(&bridge->dev); device_enable_async_suspend(b->bridge); pci_set_bus_of_node(b); @@ -1790,8 +1794,6 @@ struct pci_bus *pci_create_root_bus(struct device *parent, int bus, class_dev_reg_err: put_device(&bridge->dev); device_unregister(&bridge->dev); -bridge_dev_reg_err: - kfree(bridge); err_out: kfree(b); return NULL;