From 836d0ba33c5b36ab43ff2425a8e5726fdc379ad4 Mon Sep 17 00:00:00 2001
From: Yufen Yu <yuyufen@huawei.com>
Date: Thu, 20 Feb 2020 19:05:34 +0800
Subject: [PATCH] bdi: fix memleak in bdi_register_va()

hulk inclusion
category: bugfix
bugzilla: 30109
CVE: NA
---------------------------

When device_add() fail, we just free rcu_dev and
forget kobj->name. Using put_devcie to free both
of rcu_dev and kobj->name.

Fixes: 5ca4579ae59b ("bdi: fix use-after-free for the bdi device")
Signed-off-by: Yufen Yu <yuyufen@huawei.com>
Reviewed-by: Hou Tao <houtao1@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
---
 mm/backing-dev.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/mm/backing-dev.c b/mm/backing-dev.c
index 040d778db5d0..75a61176f392 100644
--- a/mm/backing-dev.c
+++ b/mm/backing-dev.c
@@ -921,7 +921,7 @@ int bdi_register_va(struct backing_dev_info *bdi, const char *fmt, va_list args)
 	return 0;
 
 error:
-	kfree(rcu_dev);
+	put_device(&rcu_dev->dev);
 	return retval;
 }
 EXPORT_SYMBOL(bdi_register_va);
@@ -974,12 +974,12 @@ static void bdi_put_device_rcu(struct rcu_head *rcu)
 void bdi_unregister(struct backing_dev_info *bdi)
 {
 	/* make sure nobody finds us on the bdi_list anymore */
-	struct rcu_device *rcu_dev = bdi->rcu_dev;
 	bdi_remove_from_list(bdi);
 	wb_shutdown(&bdi->wb);
 	cgwb_bdi_unregister(bdi);
 
 	if (bdi->dev) {
+		struct rcu_device *rcu_dev = bdi->rcu_dev;
 		bdi_debug_unregister(bdi);
 		get_device(bdi->dev);
 		device_unregister(bdi->dev);
-- 
GitLab