Commit a1be1f39 authored by Eric Biggers's avatar Eric Biggers Committed by Linus Torvalds
Browse files

kernel/relay.c: revert "kernel/relay.c: fix potential memory leak"

This reverts commit ba62bafe ("kernel/relay.c: fix potential memory leak").

This commit introduced a double free bug, because 'chan' is already
freed by the line:

    kref_put(&chan->kref, relay_destroy_channel);

This bug was found by syzkaller, using the BLKTRACESETUP ioctl.

Link: http://lkml.kernel.org/r/20180127004759.101823-1-ebiggers3@gmail.com
Fixes: ba62bafe

 ("kernel/relay.c: fix potential memory leak")
Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
Reviewed-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Cc: Zhouyi Zhou <yizhouzhou@ict.ac.cn>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: <stable@vger.kernel.org>	[4.7+]
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent 28f3a488
......@@ -611,7 +611,6 @@ struct rchan *relay_open(const char *base_filename,
kref_put(&chan->kref, relay_destroy_channel);
mutex_unlock(&relay_channels_mutex);
kfree(chan);
return NULL;
}
EXPORT_SYMBOL_GPL(relay_open);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment