From 144c1dd22207706c79accf797a92a3798124fb01 Mon Sep 17 00:00:00 2001
From: Chen Jun <chenjun102@huawei.com>
Date: Sat, 4 Mar 2023 07:24:42 +0000
Subject: [PATCH] mm/sharepool: Fix a double free problem caused by
 init_local_group

hulk inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I64Y5Y

-------------------------------

If local_group_add_task fails in init_local_group. ida free the
same id twice.

init_local_group
  local_group_add_task    // failed
  goto free_spg

free_spg:
  free_sp_group_locked
    free_sp_group_id      // free spg->id
free_spg_id:
  free_new_spg_id         // double free spg->id

To fix it, return before calling free_new_spg_id.

Signed-off-by: Chen Jun <chenjun102@huawei.com>
---
 mm/share_pool.c | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/mm/share_pool.c b/mm/share_pool.c
index e9d2ae0a5352..ababe279c44d 100644
--- a/mm/share_pool.c
+++ b/mm/share_pool.c
@@ -487,8 +487,8 @@ static int init_local_group(struct mm_struct *mm)
 
 	spg = create_spg(spg_id, 0);
 	if (IS_ERR(spg)) {
-		ret = PTR_ERR(spg);
-		goto free_spg_id;
+		free_new_spg_id(true, spg_id);
+		return PTR_ERR(spg);
 	}
 
 	master->local = spg;
@@ -509,11 +509,9 @@ static int init_local_group(struct mm_struct *mm)
 	return 0;
 
 free_spg:
+	/* spg_id is freed in free_sp_group_locked */
 	free_sp_group_locked(spg);
 	master->local = NULL;
-free_spg_id:
-	free_new_spg_id(true, spg_id);
-
 	return ret;
 }
 
-- 
GitLab