[PATCH 3/3] nvme-core: preventing double freeing in ctrl release

[irvin cote]

On Tue, 25 Apr 2023 at 18:45, Keith Busch <kbusch at kernel.org> wrote:

> Isn't the problem that the nvme_put_ctrl() in this function's 'goto' error is
> doubling the rest of the unwinding, which means your ida_free() is happening
> twice?

The nvme_put_ctrl at the label "out_free_name" in nvme_init_ctrl,
doesn't decrement the ref-count to 0 (thus doesn't trigger anything).
This is because by the time we get to it device_initialize and
nvme_get_ctrl have each taken 1 reference.
However the problem indeed arises from the fact that both the teardown
path and the release method (nvme_free_ctrl, triggered by the last
nvme_put_ctrl)
call ida_free.

> I think instead the nvme_get_ctrl() should be the last thing done in the
> init_ctrl() function, then the rest of the cleanup on error would be simpler.
If we were to put nvme_get_ctrl at the end of nvme_init_ctrl, we would
still be facing the problem.
This is because, ultimately the teardown path must clear the ref-count
of the controller before exiting the driver
and this will lead to the release method being called and doubling
some of the unwinding done by the teardown path,
among which ida_free.