On pci_create_root_bus() error recovery path, device_unregister(&bridge->dev)
should have freed memory used by bridge, so we shouldn't call kfree(bridge)
again, it's a double free.
On the other hand, we should not use kfree() to free memory used by
device object once we have invoked device_register() because it's
reference-counted.
Signed-off-by: Jiang Liu <jiang.liu@xxxxxxxxxx>
Cc: stable@xxxxxxxxxxxxxxx
---
Hi Bjorn,
This is the patch to fix the kfree() issue, it may be a material
for stable trees.
Thanks!
Gerry
---
drivers/pci/probe.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
index 8882b5d..2f81a0a 100644
--- a/drivers/pci/probe.c
+++ b/drivers/pci/probe.c
@@ -1729,12 +1729,16 @@ struct pci_bus *pci_create_root_bus(struct device *parent, int bus,
bridge->dev.release = pci_release_bus_bridge_dev;
dev_set_name(&bridge->dev, "pci%04x:%02x", pci_domain_nr(b), bus);
error = pcibios_root_bridge_prepare(bridge);
- if (error)
- goto bridge_dev_reg_err;
+ if (error) {
+ kfree(bridge);
+ goto err_out;
+ }
error = device_register(&bridge->dev);
- if (error)
- goto bridge_dev_reg_err;
+ if (error) {
+ kfree(bridge);
+ goto err_out;
+ }
b->bridge = get_device(&bridge->dev);
device_enable_async_suspend(b->bridge);
pci_set_bus_of_node(b);
@@ -1790,8 +1794,6 @@ struct pci_bus *pci_create_root_bus(struct device *parent, int bus,
class_dev_reg_err:
put_device(&bridge->dev);
device_unregister(&bridge->dev);
-bridge_dev_reg_err:
- kfree(bridge);
err_out:
kfree(b);
return NULL;
--
1.8.1.2
--
To unsubscribe from this list: send the line "unsubscribe linux-pci" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
