From: Eric Biggers <ebiggers3@gmail.com>
To: linux-kernel@vger.kernel.org, Andrew Morton <akpm@linux-foundation.org>
Cc: Zhouyi Zhou <yizhouzhou@ict.ac.cn>, Jens Axboe <axboe@kernel.dk>,
linux-block@vger.kernel.org, syzkaller-bugs@googlegroups.com,
Eric Biggers <ebiggers@google.com>,
stable@vger.kernel.org
Subject: [PATCH] Revert "kernel/relay.c: fix potential memory leak"
Date: Fri, 26 Jan 2018 16:47:59 -0800 [thread overview]
Message-ID: <20180127004759.101823-1-ebiggers3@gmail.com> (raw)
In-Reply-To: <089e082d01d08b36a6055cd763ca@google.com>
From: Eric Biggers <ebiggers@google.com>
This reverts commit ba62bafe942b159a6109cbec780d36496e06b6c5.
This commit introduced a double free bug, because 'chan' is already
freed by the line:
kref_put(&chan->kref, relay_destroy_channel);
This bug was found by syzkaller, using the BLKTRACESETUP ioctl.
Fixes: ba62bafe942b ("kernel/relay.c: fix potential memory leak")
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: <stable@vger.kernel.org> # v4.7+
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
kernel/relay.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/kernel/relay.c b/kernel/relay.c
index 39a9dfc69486..55da824f4adc 100644
--- a/kernel/relay.c
+++ b/kernel/relay.c
@@ -611,7 +611,6 @@ struct rchan *relay_open(const char *base_filename,
kref_put(&chan->kref, relay_destroy_channel);
mutex_unlock(&relay_channels_mutex);
- kfree(chan);
return NULL;
}
EXPORT_SYMBOL_GPL(relay_open);
--
2.16.0.rc1.238.g530d649a79-goog
parent reply other threads:[~2018-01-27 0:47 UTC|newest]
Thread overview: expand[flat|nested] mbox.gz Atom feed
[parent not found: <089e082d01d08b36a6055cd763ca@google.com>]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180127004759.101823-1-ebiggers3@gmail.com \
--to=ebiggers3@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=axboe@kernel.dk \
--cc=ebiggers@google.com \
--cc=linux-block@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
--cc=yizhouzhou@ict.ac.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).