From: Yang Yingliang <yangyingliang@xxxxxxxxxx> Sent: Thursday, November 10, 2022 5:49 PM
>
> In the error path of vmbus_device_register(), device_unregister() is
> called, hv_device has already been freed in vmbus_device_release(),
> remove the kfree() in vmbus_add_channel_work() to avoid double free.
Let me suggest some clearer wording in the commit message:
In the error path of vmbus_device_register(), device_unregister() is
called, which calls vmbus_device_release(). The latter frees the
struct hv_device that was passed in to vmbus_device_register().
So remove the kfree() in vmbus_add_channel_work() to avoid a
double free.
>
> Fixes: c2e5df616e1a ("vmbus: add per-channel sysfs info")
> Signed-off-by: Yang Yingliang <yangyingliang@xxxxxxxxxx>
> ---
> drivers/hv/channel_mgmt.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/hv/channel_mgmt.c b/drivers/hv/channel_mgmt.c
> index 5b120402d405..576ebaf729a8 100644
> --- a/drivers/hv/channel_mgmt.c
> +++ b/drivers/hv/channel_mgmt.c
> @@ -533,13 +533,15 @@ static void vmbus_add_channel_work(struct work_struct
> *work)
> * Add the new device to the bus. This will kick off device-driver
> * binding which eventually invokes the device driver's AddDevice()
> * method.
> + * If vmbus_device_register() fails, the 'device_obj' will be freed
> + * in vmbus_device_release() in vmbus_device_register(). In the outside
> + * error path, it's no need to free it.
Let me suggest clarifying the comment as well:
* If vmbus_device_register() fails, the 'device_obj' is freed in
* vmbus_device_release() as called by device_unregister() in the
* error path of vmbus_device_register(). In the outside error
* path, there's no need to free it.
> */
> ret = vmbus_device_register(newchannel->device_obj);
>
> if (ret != 0) {
> pr_err("unable to add child device object (relid %d)\n",
> newchannel->offermsg.child_relid);
> - kfree(newchannel->device_obj);
> goto err_deq_chan;
> }
>
> --
> 2.25.1
