Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752130AbdHKAGA (ORCPT ); Thu, 10 Aug 2017 20:06:00 -0400 Received: from userp1040.oracle.com ([156.151.31.81]:17587 "EHLO userp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751487AbdHKAF7 (ORCPT ); Thu, 10 Aug 2017 20:05:59 -0400 To: Pan Bian Cc: Jack Wang , lindar_liu@usish.com, "James E.J. Bottomley" , "Martin K. Petersen" , linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: scsi: pm8001: fix double free in pm8001_pci_probe From: "Martin K. Petersen" Organization: Oracle Corporation References: <1502192430-12440-1-git-send-email-bianpan2016@163.com> Date: Thu, 10 Aug 2017 20:05:37 -0400 In-Reply-To: <1502192430-12440-1-git-send-email-bianpan2016@163.com> (Pan Bian's message of "Tue, 8 Aug 2017 19:40:30 +0800") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Source-IP: aserv0021.oracle.com [141.146.126.233] Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 563 Lines: 15 Pan, > In function pm8001_pci_probe(), on errors that the control flow jumps to > label err_out_ha_free, function pm8001_free() is called. In pm8001_free(), > scsi_host_put() is called to release shost, which keeps the return value > of scsi_host_alloc(). After pm8001_free() returns, kfree() is called to > free shost again, resulting in a double free bug. This patch removes > scsi_host_put() from pm8001_free() and explicitly calls scsi_host_put() > to release Scsi_Host in need. Applied to 4.14/scsi-queue. -- Martin K. Petersen Oracle Linux Engineering