PCI: endpoint: Fix potential double free in __pci_epc_create

Message ID 20221220045930.1106921-1-linmq006@gmail.com
State New
Headers
Series PCI: endpoint: Fix potential double free in __pci_epc_create |

Commit Message

Miaoqian Lin Dec. 20, 2022, 4:59 a.m. UTC
  When all references are dropped, callback function pci_epc_release()
for put_device() already call kfree(epc) to release memory.
Remove abundant kfree to fix double free.

Fixes: 7711cbb4862a ("PCI: endpoint: Fix WARN() when an endpoint driver is removed")
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
---
 drivers/pci/endpoint/pci-epc-core.c | 2 --
 1 file changed, 2 deletions(-)
  

Comments

Manivannan Sadhasivam April 8, 2023, 9:30 a.m. UTC | #1
On Tue, Dec 20, 2022 at 08:59:29AM +0400, Miaoqian Lin wrote:
> When all references are dropped, callback function pci_epc_release()
> for put_device() already call kfree(epc) to release memory.
> Remove abundant kfree to fix double free.
> 
> Fixes: 7711cbb4862a ("PCI: endpoint: Fix WARN() when an endpoint driver is removed")
> Signed-off-by: Miaoqian Lin <linmq006@gmail.com>

Reviewed-by: Manivannan Sadhasivam <mani@kernel.org>

- Mani

> ---
>  drivers/pci/endpoint/pci-epc-core.c | 2 --
>  1 file changed, 2 deletions(-)
> 
> diff --git a/drivers/pci/endpoint/pci-epc-core.c b/drivers/pci/endpoint/pci-epc-core.c
> index 2542196e8c3d..7dc640c99d9a 100644
> --- a/drivers/pci/endpoint/pci-epc-core.c
> +++ b/drivers/pci/endpoint/pci-epc-core.c
> @@ -800,8 +800,6 @@ __pci_epc_create(struct device *dev, const struct pci_epc_ops *ops,
>  
>  put_dev:
>  	put_device(&epc->dev);
> -	kfree(epc);
> -
>  err_ret:
>  	return ERR_PTR(ret);
>  }
> -- 
> 2.25.1
>
  

Patch

diff --git a/drivers/pci/endpoint/pci-epc-core.c b/drivers/pci/endpoint/pci-epc-core.c
index 2542196e8c3d..7dc640c99d9a 100644
--- a/drivers/pci/endpoint/pci-epc-core.c
+++ b/drivers/pci/endpoint/pci-epc-core.c
@@ -800,8 +800,6 @@  __pci_epc_create(struct device *dev, const struct pci_epc_ops *ops,
 
 put_dev:
 	put_device(&epc->dev);
-	kfree(epc);
-
 err_ret:
 	return ERR_PTR(ret);
 }