| Message ID | 20250102093058.177866-1-make_ruc2021@163.com (mailing list archive) |
|---|---|
| State | New |
| Delegated to: | Krzysztof WilczyĆski |
| Headers | show |
| Series | PCI: endpoint: Fix a double free in __pci_epc_create() | expand |
> The put_device(&epc->dev) call will trigger pci_epc_release() which > frees "epc" so the kfree(epc) on the next line is a double free. See also: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/submitting-patches.rst?h=v6.13-rc5#n94 > Found by code review. Would you become interested to check how many similar control flows can still be detected by the means of automated advanced source code analyses? Regards, Markus
diff --git a/drivers/pci/endpoint/pci-epc-core.c b/drivers/pci/endpoint/pci-epc-core.c index 46c9a5c3ca14..652350f054cf 100644 --- a/drivers/pci/endpoint/pci-epc-core.c +++ b/drivers/pci/endpoint/pci-epc-core.c @@ -818,7 +818,6 @@ __pci_epc_create(struct device *dev, const struct pci_epc_ops *ops, put_dev: put_device(&epc->dev); - kfree(epc); err_ret: return ERR_PTR(ret);
The put_device(&epc->dev) call will trigger pci_epc_release() which frees "epc" so the kfree(epc) on the next line is a double free. Found by code review. Cc: stable@vger.kernel.org Fixes: 5e8cb4033807 ("PCI: endpoint: Add EP core layer to enable EP controller and EP functions") Signed-off-by: Ma Ke <make_ruc2021@163.com> --- drivers/pci/endpoint/pci-epc-core.c | 1 - 1 file changed, 1 deletion(-)