Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit de41447a authored by Ewan D. Milne's avatar Ewan D. Milne Committed by Christoph Hellwig
Browse files

nvme-fc: avoid memory corruption caused by calling nvmf_free_options() twice 



Do not call nvmf_free_options() from the nvme_fc_ctlr destructor if
nvme_fc_create_ctrl() returns an error, because nvmf_create_ctrl()
frees the options when an error is returned.

Signed-off-by: default avatarEwan D. Milne <emilne@redhat.com>
Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
parent bbe3012b

drivers/nvme/host/fc.c

+3 −1
Original line number Diff line number Diff line
@@ -1716,6 +1716,7 @@ nvme_fc_ctrl_free(struct kref *ref) 
	nvme_fc_rport_put(ctrl->rport);



	ida_simple_remove(&nvme_fc_ctrl_cnt, ctrl->cnum);

	if (ctrl->ctrl.opts)

		nvmf_free_options(ctrl->ctrl.opts);

	kfree(ctrl);

}
@@ -2807,6 +2808,7 @@ nvme_fc_init_ctrl(struct device *dev, struct nvmf_ctrl_options *opts, 


	ret = nvme_fc_create_association(ctrl);

	if (ret) {

		ctrl->ctrl.opts = NULL;

		/* initiate nvme ctrl ref counting teardown */

		nvme_uninit_ctrl(&ctrl->ctrl);

		nvme_put_ctrl(&ctrl->ctrl);