All of lore.kernel.org
 help / color / mirror / Atom feed
From: james_p_freyensee@linux.intel.com (J Freyensee)
Subject: [PATCH] nvme-loop: kfree(ctrl) on _create() error exit
Date: Thu, 27 Oct 2016 08:40:13 -0700	[thread overview]
Message-ID: <1477582813.2838.11.camel@linux.intel.com> (raw)
In-Reply-To: <20161027124906.GA28200@infradead.org>

On Thu, 2016-10-27@05:49 -0700, Christoph Hellwig wrote:
> On Wed, Oct 26, 2016@01:20:57PM -0700, Jay Freyensee wrote:
> > 
> > diff --git a/drivers/nvme/target/loop.c
> > b/drivers/nvme/target/loop.c
> > index d5df77d..b0f9931 100644
> > --- a/drivers/nvme/target/loop.c
> > +++ b/drivers/nvme/target/loop.c
> > @@ -673,6 +673,7 @@ static struct nvme_ctrl
> > *nvme_loop_create_ctrl(struct device *dev,
> > ?	nvme_uninit_ctrl(&ctrl->ctrl);
> > ?out_put_ctrl:
> > ?	nvme_put_ctrl(&ctrl->ctrl);
> > +	kfree(ctrl);
> > ?	if (ret > 0)
> > ?		ret = -EIO;
> > ?	return ERR_PTR(ret);
> 
> This will give us a double free.??The final put in nvme_put_ctrl
> calls
> ->free_ctrl which will free the controller.

But doesn't nvme_put_ctrl() just take care of the nvme_ctrl? ?The
kfree(ctrl) is for nvme_loop_ctrl instance being kzalloc'ed at the
beginning of the function. ?I don't think this is any different than
what is done for the create_ctrl() implementation in host/rdma.c?:

host/rdma.c
===========
out_uninit_ctrl:
	nvme_uninit_ctrl(&ctrl->ctrl);
	nvme_put_ctrl(&ctrl->ctrl);
	if (ret > 0)
		ret = -EIO;
	return ERR_PTR(ret);
out_free_ctrl:
	kfree(ctrl); ? <-- this is for nvme_rdma_ctrl alloc
	return ERR_PTR(ret);

target/loop.c
========
out_uninit_ctrl:
	nvme_uninit_ctrl(&ctrl->ctrl);
out_put_ctrl:
	nvme_put_ctrl(&ctrl->ctrl);
	kfree(ctrl); ? <-- the proposed fix for nvme_loop_ctrl alloc
	if (ret > 0)
		ret = -EIO;
	return ERR_PTR(ret);
}
> 
> _______________________________________________
> Linux-nvme mailing list
> Linux-nvme at lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/linux-nvme

  reply	other threads:[~2016-10-27 15:40 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-10-26 20:20 [PATCH] nvme-loop: kfree(ctrl) on _create() error exit Jay Freyensee
2016-10-27 12:13 ` Sagi Grimberg
2016-10-27 12:49 ` Christoph Hellwig
2016-10-27 15:40   ` J Freyensee [this message]
2016-10-27 16:00     ` Christoph Hellwig
2016-10-30  6:48       ` Sagi Grimberg

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1477582813.2838.11.camel@linux.intel.com \
    --to=james_p_freyensee@linux.intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.