Skip to content

Commit

Permalink
kernel/relay.c: revert "kernel/relay.c: fix potential memory leak"
Browse files Browse the repository at this point in the history 
This reverts commit ba62baf ("kernel/relay.c: fix potential memory leak").

This commit introduced a double free bug, because 'chan' is already
freed by the line:

    kref_put(&chan->kref, relay_destroy_channel);

This bug was found by syzkaller, using the BLKTRACESETUP ioctl.

Link: http://lkml.kernel.org/r/[email protected]
Fixes: ba62baf ("kernel/relay.c: fix potential memory leak")
Signed-off-by: Eric Biggers <[email protected]>
Reported-by: syzbot <[email protected]>
Reviewed-by: Andrew Morton <[email protected]>
Cc: Zhouyi Zhou <[email protected]>
Cc: Jens Axboe <[email protected]>
Cc: <[email protected]>	[4.7+]
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
  • Loading branch information
@ebiggers @torvalds
ebiggers authored and torvalds committed Feb 7, 2018
1 parent 28f3a48 commit a1be1f3
Showing 1 changed file with 0 additions and 1 deletion.
1 change: 0 additions & 1 deletion kernel/relay.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -611,7 +611,6 @@ struct rchan *relay_open(const char *base_filename,

kref_put(&chan->kref, relay_destroy_channel);
mutex_unlock(&relay_channels_mutex);
kfree(chan);
return NULL;
}
EXPORT_SYMBOL_GPL(relay_open);
Expand Down

0 comments on commit a1be1f3

Please sign in to comment.