From 3630473789c359155f05075bea018c32d24032b3 Mon Sep 17 00:00:00 2001
From: Zhiqiang Liu <liuzhiqiang26@huawei.com>
Date: Sun, 13 Jun 2021 12:23:58 +0800
Subject: [PATCH] ioat: fix potential double free problem in
 ioat_channel_start()

In ioat_channel_start(), if spdk_vtophys(ioat->comp_update) returns
SPDK_VTOPHYS_ERROR, spdk_free is called to free ioat->comp_update,
and ioat->comp_update is not set to NULL. However, the caller
ioat_attach() will also call ioat_channel_destruct() to free
ioat->comp_update, then double-free problem occurs.

Here, we will not free ioat->comp_update in ioat_channel_start(),
ioat_channel_destruct() will do that.

Signed-off-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>
Change-Id: I3be19a3feec5c2188051ee67820bfd1e61de9b48
Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/8300
Community-CI: Mellanox Build Bot
Reviewed-by: Changpeng Liu <changpeng.liu@intel.com>
Reviewed-by: Aleksey Marchuk <alexeymar@mellanox.com>
Tested-by: SPDK CI Jenkins <sys_sgci@intel.com>
---
 lib/ioat/ioat.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/lib/ioat/ioat.c b/lib/ioat/ioat.c
index 27ac0a0ed..af83c42be 100644
--- a/lib/ioat/ioat.c
+++ b/lib/ioat/ioat.c
@@ -429,7 +429,6 @@ ioat_channel_start(struct spdk_ioat_chan *ioat)
 
 	comp_update_bus_addr = spdk_vtophys((void *)ioat->comp_update, NULL);
 	if (comp_update_bus_addr == SPDK_VTOPHYS_ERROR) {
-		spdk_free((void *)ioat->comp_update);
 		return -1;
 	}