Commit d2be00c0fb5a ("of/pci: Free resources on failure in
of_pci_get_host_bridge_resources()") fixed the error code path in
of_pci_get_host_bridge_resources() by adding code that runs through the
resources list to free all resources in it and then calls kfree on the
bus_range resource pointer to complete the memory deallocation.
Since the bus_range resource is added to the resources list through
pci_add_resource, the resource_list_for_each_entry loop in the error
exit path frees it already and freeing it anew could trigger a double
free, hence this patch removes the superfluos kfree call on the bus_range
resource.
Fixes: d2be00c0fb5a ("of/pci: Free resources on failure in of_pci_get_host_bridge_resources()")
Signed-off-by: Lorenzo Pieralisi <[email protected]>
Reported-by: Jiang Liu <[email protected]>
Cc: Bjorn Helgaas <[email protected]>
Cc: Rafael J. Wysocki <[email protected]>
---
drivers/of/of_pci.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/of/of_pci.c b/drivers/of/of_pci.c
index 110fece..62426d8 100644
--- a/drivers/of/of_pci.c
+++ b/drivers/of/of_pci.c
@@ -229,7 +229,6 @@ parse_failed:
resource_list_for_each_entry(window, resources)
kfree(window->res);
pci_free_resource_list(resources);
- kfree(bus_range);
return err;
}
EXPORT_SYMBOL_GPL(of_pci_get_host_bridge_resources);
--
2.2.1
On Wed, Feb 11, 2015 at 04:58:35AM +0000, Lorenzo Pieralisi wrote:
> Commit d2be00c0fb5a ("of/pci: Free resources on failure in
> of_pci_get_host_bridge_resources()") fixed the error code path in
> of_pci_get_host_bridge_resources() by adding code that runs through the
> resources list to free all resources in it and then calls kfree on the
> bus_range resource pointer to complete the memory deallocation.
> Since the bus_range resource is added to the resources list through
> pci_add_resource, the resource_list_for_each_entry loop in the error
> exit path frees it already and freeing it anew could trigger a double
> free, hence this patch removes the superfluos kfree call on the bus_range
> resource.
>
> Fixes: d2be00c0fb5a ("of/pci: Free resources on failure in of_pci_get_host_bridge_resources()")
> Signed-off-by: Lorenzo Pieralisi <[email protected]>
> Reported-by: Jiang Liu <[email protected]>
> Cc: Bjorn Helgaas <[email protected]>
> Cc: Rafael J. Wysocki <[email protected]>
I applied this to for-linus, and will ask Linus to put it in before
v3.20-rc1, thanks!
Rafael, I applied d2be00c0fb5a, where the bug originally came from, but I
see that you fixed it with 5c493df25a0d and the fix got lost because of an
incorrect merge resolution. So if you'd rather take this, just let me
know.
> ---
> drivers/of/of_pci.c | 1 -
> 1 file changed, 1 deletion(-)
>
> diff --git a/drivers/of/of_pci.c b/drivers/of/of_pci.c
> index 110fece..62426d8 100644
> --- a/drivers/of/of_pci.c
> +++ b/drivers/of/of_pci.c
> @@ -229,7 +229,6 @@ parse_failed:
> resource_list_for_each_entry(window, resources)
> kfree(window->res);
> pci_free_resource_list(resources);
> - kfree(bus_range);
> return err;
> }
> EXPORT_SYMBOL_GPL(of_pci_get_host_bridge_resources);
> --
> 2.2.1
>
On Wednesday, February 11, 2015 04:50:57 PM Bjorn Helgaas wrote:
> On Wed, Feb 11, 2015 at 04:58:35AM +0000, Lorenzo Pieralisi wrote:
> > Commit d2be00c0fb5a ("of/pci: Free resources on failure in
> > of_pci_get_host_bridge_resources()") fixed the error code path in
> > of_pci_get_host_bridge_resources() by adding code that runs through the
> > resources list to free all resources in it and then calls kfree on the
> > bus_range resource pointer to complete the memory deallocation.
> > Since the bus_range resource is added to the resources list through
> > pci_add_resource, the resource_list_for_each_entry loop in the error
> > exit path frees it already and freeing it anew could trigger a double
> > free, hence this patch removes the superfluos kfree call on the bus_range
> > resource.
> >
> > Fixes: d2be00c0fb5a ("of/pci: Free resources on failure in of_pci_get_host_bridge_resources()")
> > Signed-off-by: Lorenzo Pieralisi <[email protected]>
> > Reported-by: Jiang Liu <[email protected]>
> > Cc: Bjorn Helgaas <[email protected]>
> > Cc: Rafael J. Wysocki <[email protected]>
>
> I applied this to for-linus, and will ask Linus to put it in before
> v3.20-rc1, thanks!
>
> Rafael, I applied d2be00c0fb5a, where the bug originally came from, but I
> see that you fixed it with 5c493df25a0d and the fix got lost because of an
> incorrect merge resolution. So if you'd rather take this, just let me
> know.
That really should go through your tree I think. I attempted to fix it, but
failed to do that correctly, so effectively that doesn't count ...
Rafael