Commit b481f644 authored Sep 23, 2023 by Dinghao Liu Committed by Martin K. Petersen Sep 27, 2023

scsi: zfcp: Fix a double put in zfcp_port_enqueue()



When device_register() fails, zfcp_port_release() will be called after
put_device(). As a result, zfcp_ccw_adapter_put() will be called twice: one
in zfcp_port_release() and one in the error path after device_register().
So the reference on the adapter object is doubly put, which may lead to a
premature free. Fix this by adjusting the error tag after
device_register().

Fixes: f3450c7b ("[SCSI] zfcp: Replace local reference counting with common kref")
Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
Link: https://lore.kernel.org/r/20230923103723.10320-1-dinghao.liu@zju.edu.cn


Acked-by: Benjamin Block <bblock@linux.ibm.com>
Cc: stable@vger.kernel.org # v2.6.33+
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>

parent 514f0c40

drivers/s390/scsi/zfcp_aux.c

+5 −4

Original line number	Diff line number	Diff line
		@@ -518,12 +518,12 @@ struct zfcp_port zfcp_port_enqueue(struct zfcp_adapter adapter, u64 wwpn,
		if (port) {
		put_device(&port->dev);
		retval = -EEXIST;
		goto err_out;
		goto err_put;
		}

		port = kzalloc(sizeof(struct zfcp_port), GFP_KERNEL);
		if (!port)
		goto err_out;
		goto err_put;

		rwlock_init(&port->unit_list_lock);
		INIT_LIST_HEAD(&port->unit_list);
		@@ -546,7 +546,7 @@ struct zfcp_port zfcp_port_enqueue(struct zfcp_adapter adapter, u64 wwpn,

		if (dev_set_name(&port->dev, "0x%016llx", (unsigned long long)wwpn)) {
		kfree(port);
		goto err_out;
		goto err_put;
		}
		retval = -EINVAL;

		@@ -563,7 +563,8 @@ struct zfcp_port zfcp_port_enqueue(struct zfcp_adapter adapter, u64 wwpn,

		return port;

		err_out:
		err_put:
		zfcp_ccw_adapter_put(adapter);
		err_out:
		return ERR_PTR(retval);
		}