From: Ewan D. Milne Date: Mon, 24 Apr 2017 17:24:16 +0000 (-0400) Subject: nvme-fc: avoid memory corruption caused by calling nvmf_free_options() twice X-Git-Tag: v4.14-rc1~1071^2^2~3 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=de41447aac034c4acc8d9d1ddbdcb7ce4e8a3f6f;p=platform%2Fkernel%2Flinux-rpi3.git nvme-fc: avoid memory corruption caused by calling nvmf_free_options() twice Do not call nvmf_free_options() from the nvme_fc_ctlr destructor if nvme_fc_create_ctrl() returns an error, because nvmf_create_ctrl() frees the options when an error is returned. Signed-off-by: Ewan D. Milne Signed-off-by: Christoph Hellwig --- diff --git a/drivers/nvme/host/fc.c b/drivers/nvme/host/fc.c index e73862e..4976db5 100644 --- a/drivers/nvme/host/fc.c +++ b/drivers/nvme/host/fc.c @@ -1716,7 +1716,8 @@ nvme_fc_ctrl_free(struct kref *ref) nvme_fc_rport_put(ctrl->rport); ida_simple_remove(&nvme_fc_ctrl_cnt, ctrl->cnum); - nvmf_free_options(ctrl->ctrl.opts); + if (ctrl->ctrl.opts) + nvmf_free_options(ctrl->ctrl.opts); kfree(ctrl); } @@ -2807,6 +2808,7 @@ nvme_fc_init_ctrl(struct device *dev, struct nvmf_ctrl_options *opts, ret = nvme_fc_create_association(ctrl); if (ret) { + ctrl->ctrl.opts = NULL; /* initiate nvme ctrl ref counting teardown */ nvme_uninit_ctrl(&ctrl->ctrl); nvme_put_ctrl(&ctrl->ctrl);