Re: [PATCH 1/2] PCI: fix a double free issue in pci_create_root_bus() error recovery path

Bjorn Helgaas <bhelgaas@xxxxxxxxxx> · Fri, 7 Jun 2013 19:42:51 -0600

On Fri, Jun 07, 2013 at 01:10:08AM +0800, Jiang Liu wrote:
> On pci_create_root_bus() error recovery path, device_unregister(&bridge->dev)
> should have freed memory used by bridge, so we shouldn't call kfree(bridge)
> again, it's a double free.
> 
> On the other hand, we should not use kfree() to free memory used by
> device object once we have invoked device_register() because it's
> reference-counted.
> 
> Signed-off-by: Jiang Liu <jiang.liu@xxxxxxxxxx>
> Cc: stable@xxxxxxxxxxxxxxx
> ---
> Hi Bjorn,
> 	This is the patch to fix the kfree() issue, it may be a material
> for stable trees.
> Thanks!
> Gerry
> ---
>  drivers/pci/probe.c | 14 ++++++++------
>  1 file changed, 8 insertions(+), 6 deletions(-)
> 
> diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
> index 8882b5d..2f81a0a 100644
> --- a/drivers/pci/probe.c
> +++ b/drivers/pci/probe.c
> @@ -1729,12 +1729,16 @@ struct pci_bus *pci_create_root_bus(struct device *parent, int bus,
>  	bridge->dev.release = pci_release_bus_bridge_dev;
>  	dev_set_name(&bridge->dev, "pci%04x:%02x", pci_domain_nr(b), bus);
>  	error = pcibios_root_bridge_prepare(bridge);
> -	if (error)
> -		goto bridge_dev_reg_err;
> +	if (error) {
> +		kfree(bridge);
> +		goto err_out;
> +	}
>  
>  	error = device_register(&bridge->dev);
> -	if (error)
> -		goto bridge_dev_reg_err;
> +	if (error) {
> +		kfree(bridge);

Per device_register() comment, this should be a put_device().
I added this patch with that change to my pci/jiang-bus-lock-v3 branch.

I know a subsequent patch removes this anyway.  I might be a little
obsessive.

> +		goto err_out;
> +	}
>  	b->bridge = get_device(&bridge->dev);
>  	device_enable_async_suspend(b->bridge);
>  	pci_set_bus_of_node(b);
> @@ -1790,8 +1794,6 @@ struct pci_bus *pci_create_root_bus(struct device *parent, int bus,
>  class_dev_reg_err:
>  	put_device(&bridge->dev);
>  	device_unregister(&bridge->dev);
> -bridge_dev_reg_err:
> -	kfree(bridge);
>  err_out:
>  	kfree(b);
>  	return NULL;
> -- 
> 1.8.1.2
> 
--
To unsubscribe from this list: send the line "unsubscribe linux-pci" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html