blk-mq: fix double-free in error path

If the allocation of bt->bs fails, then bt->map can be freed twice, once in blk_mq_init_bitmap_tags() -> bt_alloc(), and once in blk_mq_init_bitmap_tags() -> bt_free(). Fix by setting the pointer to NULL after the first free. Cc: <[email protected]> Signed-off-by: Tony Battersby <[email protected]> Signed-off-by: Jens Axboe <[email protected]>
SKAPUSTIANSKYI · Feb 11, 2015 · 564e559 · 564e559
1 parent 854fbb9
commit 564e559
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/block/blk-mq-tag.c b/block/blk-mq-tag.c
@@ -524,6 +524,7 @@ static int bt_alloc(struct blk_mq_bitmap_tags *bt, unsigned int depth,
 	bt->bs = kzalloc(BT_WAIT_QUEUES * sizeof(*bt->bs), GFP_KERNEL);
 	if (!bt->bs) {
 		kfree(bt->map);
+		bt->map = NULL;
 		return -ENOMEM;
 	}