From: Yang Yingliang <yangyingliang@xxxxxxxxxx>
>
> In the error path of vmbus_device_register(), device_unregister()
> is called, which calls vmbus_device_release(). The latter frees
> the struct hv_device that was passed in to vmbus_device_register().
> So remove the kfree() in vmbus_add_channel_work() to avoid a double
> free.
>
> Fixes: c2e5df616e1a ("vmbus: add per-channel sysfs info")
> Suggested-by: Michael Kelley <mikelley@xxxxxxxxxxxxx>
> Signed-off-by: Yang Yingliang <yangyingliang@xxxxxxxxxx>
> ---
> drivers/hv/channel_mgmt.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/hv/channel_mgmt.c b/drivers/hv/channel_mgmt.c
> index 5b120402d405..0ebd73d571bc 100644
> --- a/drivers/hv/channel_mgmt.c
> +++ b/drivers/hv/channel_mgmt.c
> @@ -533,13 +533,16 @@ static void vmbus_add_channel_work(struct work_struct *work)
> * Add the new device to the bus. This will kick off device-driver
> * binding which eventually invokes the device driver's AddDevice()
> * method.
> + * If vmbus_device_register() fails, the 'device_obj' is freed in
> + * vmbus_device_release() as called by device_unregister() in the
> + * error path of vmbus_device_register(). In the outside error
> + * path, there's no need to free it.
> */
> ret = vmbus_device_register(newchannel->device_obj);
>
> if (ret != 0) {
> pr_err("unable to add child device object (relid %d)\n",
> newchannel->offermsg.child_relid);
> - kfree(newchannel->device_obj);
> goto err_deq_chan;
> }
>
> --
> 2.25.1
Reviewed-by: Michael Kelley <mikelley@xxxxxxxxxxxxx>
