> -----Original Message----- > From: Ma Ke <[email protected]> > Sent: Monday, June 24, 2024 8:51 AM > To: [email protected]; [email protected]; [email protected]; > [email protected]; [email protected]; [email protected]; > [email protected]; [email protected]; [email protected]; > [email protected]; [email protected]; [email protected]; > [email protected]; [email protected]; > [email protected] > Cc: [email protected]; [email protected]; linux- > [email protected] > Subject: [PATCH] net: mana: Fix possible double free in error > handling path > > When auxiliary_device_add() returns error and then calls > auxiliary_device_uninit(), callback function adev_release calls kfree(madev) > to free memory. We shouldn't call kfree(padev) again in the error handling > path. Signed-off-by: Ma Ke <make24@ iscas. ac. cn>
> When auxiliary_device_add() returns error and then calls > auxiliary_device_uninit(), callback function adev_release calls kfree(madev) > to free memory. We shouldn't call kfree(padev) again in the error handling > path. > > Signed-off-by: Ma Ke <[email protected]> > --- > drivers/net/ethernet/microsoft/mana/mana_en.c | 31 +++++++++---------- > 1 file changed, 14 insertions(+), 17 deletions(-) > > diff --git a/drivers/net/ethernet/microsoft/mana/mana_en.c > b/drivers/net/ethernet/microsoft/mana/mana_en.c > index d087cf954f75..1754c92a6c15 100644 > --- a/drivers/net/ethernet/microsoft/mana/mana_en.c > +++ b/drivers/net/ethernet/microsoft/mana/mana_en.c > @@ -2785,8 +2785,10 @@ static int add_adev(struct gdma_dev *gd) > > adev = &madev->adev; > ret = mana_adev_idx_alloc(); > - if (ret < 0) > - goto idx_fail; > + if (ret < 0) { > + kfree(madev); > + return ret; > + } > adev->id = ret; > > adev->name = "rdma"; > @@ -2795,26 +2797,21 @@ static int add_adev(struct gdma_dev *gd) > madev->mdev = gd; > > ret = auxiliary_device_init(adev); > - if (ret) > - goto init_fail; > + if (ret) { > + mana_adev_idx_free(adev->id); > + kfree(madev); > + return ret; > + } > > ret = auxiliary_device_add(adev); > - if (ret) > - goto add_fail; > + if (ret) { > + auxiliary_device_uninit(adev); > + mana_adev_idx_free(adev->id); > + return ret; > + } > > gd->adev = adev; > return 0; > - > -add_fail: > - auxiliary_device_uninit(adev); > - > -init_fail: > - mana_adev_idx_free(adev->id); > - > -idx_fail: > - kfree(madev); I think you can just avoid using add_fail and keep/retain rest of init_fail, idx_fail conditions in old way right? > - > - return ret; > } > > int mana_probe(struct gdma_dev *gd, bool resuming) > -- > 2.25.1 >
