On Fri, 14 Sep 2018 15:37:16 +0800
Zhenyu Wang <zhenyuw@xxxxxxxxxxxxxxx> wrote:
> Add mdev kfree in mdev_device_create() error path which seems
> to be ignored.
The mdev is freed through put_device(), either directly, as in the
failure path after device_register() or as part of the
device_unregister() path. Please see the note above device_register():
* NOTE: _Never_ directly free @dev after calling this function, even
* if it returned an error! Always use put_device() to give up the
* reference initialized in this function instead.
I don't see that there's a bug here presently. Thanks,
Alex
> Fixes: 7b96953bc640 ("vfio: Mediated device Core driver")
> Cc: Alex Williamson <alex.williamson@xxxxxxxxxx>
> Cc: Kirti Wankhede <kwankhede@xxxxxxxxxx>
> Signed-off-by: Zhenyu Wang <zhenyuw@xxxxxxxxxxxxxxx>
> ---
> drivers/vfio/mdev/mdev_core.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/vfio/mdev/mdev_core.c b/drivers/vfio/mdev/mdev_core.c
> index 0212f0ee8aea..40a8f7280639 100644
> --- a/drivers/vfio/mdev/mdev_core.c
> +++ b/drivers/vfio/mdev/mdev_core.c
> @@ -294,7 +294,7 @@ int mdev_device_create(struct kobject *kobj, struct device *dev, uuid_le uuid)
> if (!uuid_le_cmp(tmp->uuid, uuid)) {
> mutex_unlock(&mdev_list_lock);
> ret = -EEXIST;
> - goto mdev_fail;
> + goto parent_put;
> }
> }
>
> @@ -302,7 +302,7 @@ int mdev_device_create(struct kobject *kobj, struct device *dev, uuid_le uuid)
> if (!mdev) {
> mutex_unlock(&mdev_list_lock);
> ret = -ENOMEM;
> - goto mdev_fail;
> + goto parent_put;
> }
>
> memcpy(&mdev->uuid, &uuid, sizeof(uuid_le));
> @@ -342,6 +342,8 @@ int mdev_device_create(struct kobject *kobj, struct device *dev, uuid_le uuid)
> create_fail:
> device_unregister(&mdev->dev);
> mdev_fail:
> + kfree(mdev);
> +parent_put:
> mdev_put_parent(parent);
> return ret;
> }
