Commit a1be1f39 authored by Eric Biggers's avatar Eric Biggers Committed by Linus Torvalds
Browse files

kernel/relay.c: revert "kernel/relay.c: fix potential memory leak" 

This reverts commit ba62bafe ("kernel/relay.c: fix potential memory leak").

This commit introduced a double free bug, because 'chan' is already
freed by the line:

    kref_put(&chan->kref, relay_destroy_channel);

This bug was found by syzkaller, using the BLKTRACESETUP ioctl.

Link: http://lkml.kernel.org/r/20180127004759.101823-1-ebiggers3@gmail.com


Fixes: ba62bafe ("kernel/relay.c: fix potential memory leak")
Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
Reviewed-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Cc: Zhouyi Zhou <yizhouzhou@ict.ac.cn>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: <stable@vger.kernel.org>	[4.7+]
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent 28f3a488

kernel/relay.c

+0 −1
Original line number Diff line number Diff line
@@ -611,7 +611,6 @@ free_bufs: 


	kref_put(&chan->kref, relay_destroy_channel);

	mutex_unlock(&relay_channels_mutex);

	kfree(chan);

	return NULL;

}

EXPORT_SYMBOL_GPL(relay_open);

CRA Git | Maintained and supported by SUSTech CRA and CCSE