nvme-fc: avoid memory corruption caused by calling nvmf_free_options() twice
authorEwan D. Milne <emilne@redhat.com>
Mon, 24 Apr 2017 17:24:16 +0000 (13:24 -0400)
committerChristoph Hellwig <hch@lst.de>
Tue, 25 Apr 2017 18:00:59 +0000 (20:00 +0200)
Do not call nvmf_free_options() from the nvme_fc_ctlr destructor if
nvme_fc_create_ctrl() returns an error, because nvmf_create_ctrl()
frees the options when an error is returned.

Signed-off-by: Ewan D. Milne <emilne@redhat.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
drivers/nvme/host/fc.c

index e73862ebb8b4638583fd209f593f81b5d01e827c..4976db56e351901dcc2da7a56312105389b82276 100644 (file)
@@ -1716,7 +1716,8 @@ nvme_fc_ctrl_free(struct kref *ref)
        nvme_fc_rport_put(ctrl->rport);
 
        ida_simple_remove(&nvme_fc_ctrl_cnt, ctrl->cnum);
-       nvmf_free_options(ctrl->ctrl.opts);
+       if (ctrl->ctrl.opts)
+               nvmf_free_options(ctrl->ctrl.opts);
        kfree(ctrl);
 }
 
@@ -2807,6 +2808,7 @@ nvme_fc_init_ctrl(struct device *dev, struct nvmf_ctrl_options *opts,
 
        ret = nvme_fc_create_association(ctrl);
        if (ret) {
+               ctrl->ctrl.opts = NULL;
                /* initiate nvme ctrl ref counting teardown */
                nvme_uninit_ctrl(&ctrl->ctrl);
                nvme_put_ctrl(&ctrl->ctrl);