提交 144c1dd2 编写于 作者: C Chen Jun 提交者: Zhong Jinghua

mm/sharepool: Fix a double free problem caused by init_local_group

hulk inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I64Y5Y

-------------------------------

If local_group_add_task fails in init_local_group. ida free the
same id twice.

init_local_group
  local_group_add_task    // failed
  goto free_spg

free_spg:
  free_sp_group_locked
    free_sp_group_id      // free spg->id
free_spg_id:
  free_new_spg_id         // double free spg->id

To fix it, return before calling free_new_spg_id.
Signed-off-by: NChen Jun <chenjun102@huawei.com>
上级 af363825
...@@ -487,8 +487,8 @@ static int init_local_group(struct mm_struct *mm) ...@@ -487,8 +487,8 @@ static int init_local_group(struct mm_struct *mm)
spg = create_spg(spg_id, 0); spg = create_spg(spg_id, 0);
if (IS_ERR(spg)) { if (IS_ERR(spg)) {
ret = PTR_ERR(spg); free_new_spg_id(true, spg_id);
goto free_spg_id; return PTR_ERR(spg);
} }
master->local = spg; master->local = spg;
...@@ -509,11 +509,9 @@ static int init_local_group(struct mm_struct *mm) ...@@ -509,11 +509,9 @@ static int init_local_group(struct mm_struct *mm)
return 0; return 0;
free_spg: free_spg:
/* spg_id is freed in free_sp_group_locked */
free_sp_group_locked(spg); free_sp_group_locked(spg);
master->local = NULL; master->local = NULL;
free_spg_id:
free_new_spg_id(true, spg_id);
return ret; return ret;
} }
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册
新手
引导
客服 返回
顶部