Drivers: hv: vmbus: fix double free in the error path of vmbus_add_channel_work()

[ Upstream commit 885f4a86354c9afaceaf5ee98dd2a61fcec55bdf ]

In the error path of vmbus_device_register(), device_unregister()
is called, which calls vmbus_device_release().  The latter frees
the struct hv_device that was passed in to vmbus_device_register().
So remove the kfree() in vmbus_add_channel_work() to avoid a double
free.

Fixes: 03d76a8b8a52 ("vmbus: add per-channel sysfs info")
Suggested-by: Michael Kelley <mikelley@microsoft.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Reviewed-by: Michael Kelley <mikelley@microsoft.com>
Link: https://lore.kernel.org/r/20221119081135.1564691-2-yangyingliang@huawei.com
Signed-off-by: Wei Liu <wei.liu@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/drivers/hv/channel_mgmt.c b/drivers/hv/channel_mgmt.c
index 9260ad47350f8b777fed3f8fdce2d0f3b023dce1..3adf4fae452a72b407350e1ee5dcab6afc51d5bd 100644 (file)
--- a/drivers/hv/channel_mgmt.c
+++ b/drivers/hv/channel_mgmt.c
@@ -493,13 +493,17 @@ static void vmbus_add_channel_work(struct work_struct *work)
         * Add the new device to the bus. This will kick off device-driver
         * binding which eventually invokes the device driver's AddDevice()
         * method.
+        *
+        * If vmbus_device_register() fails, the 'device_obj' is freed in
+        * vmbus_device_release() as called by device_unregister() in the
+        * error path of vmbus_device_register(). In the outside error
+        * path, there's no need to free it.
         */
        ret = vmbus_device_register(newchannel->device_obj);
 
        if (ret != 0) {
                pr_err("unable to add child device object (relid %d)\n",
                        newchannel->offermsg.child_relid);
-               kfree(newchannel->device_obj);
                goto err_deq_chan;
        }