[PATCH] nvme-loop: kfree(ctrl) on _create() error exit

Thu Oct 27 05:49:06 PDT 2016

On Wed, Oct 26, 2016 at 01:20:57PM -0700, Jay Freyensee wrote:
> diff --git a/drivers/nvme/target/loop.c b/drivers/nvme/target/loop.c
> index d5df77d..b0f9931 100644
> --- a/drivers/nvme/target/loop.c
> +++ b/drivers/nvme/target/loop.c
> @@ -673,6 +673,7 @@ static struct nvme_ctrl *nvme_loop_create_ctrl(struct device *dev,
>  	nvme_uninit_ctrl(&ctrl->ctrl);
>  out_put_ctrl:
>  	nvme_put_ctrl(&ctrl->ctrl);
> +	kfree(ctrl);
>  	if (ret > 0)
>  		ret = -EIO;
>  	return ERR_PTR(ret);

This will give us a double free.  The final put in nvme_put_ctrl calls
->free_ctrl which will free the controller.