summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKonstantin Khlebnikov <khlebnikov@yandex-team.ru>2015-09-05 01:45:51 +0300
committerLinus Torvalds <torvalds@linux-foundation.org>2015-09-05 02:54:41 +0300
commit80da026a8e5da83b6ab029807844587960490e2b (patch)
treed56f11f025d23ae2fd0ba02ae2c563bf11c1aa37
parent588f8ba913d35a667407afa29444bf2f94e03d19 (diff)
downloadlinux-80da026a8e5da83b6ab029807844587960490e2b.tar.xz
mm/slub: fix slab double-free in case of duplicate sysfs filename
sysfs_slab_add() shouldn't call kobject_put at error path: this puts last reference of kmem-cache kobject and frees it. Kmem cache will be freed second time at error path in kmem_cache_create(). For example this happens when slub debug was enabled in runtime and somebody creates new kmem cache: # echo 1 | tee /sys/kernel/slab/*/sanity_checks # modprobe configfs "configfs_dir_cache" cannot be merged because existing slab have debug and cannot create new slab because unique name ":t-0000096" already taken. Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru> Acked-by: Christoph Lameter <cl@linux.com> Cc: Pekka Enberg <penberg@kernel.org> Acked-by: David Rientjes <rientjes@google.com> Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-rw-r--r--mm/slub.c4
1 files changed, 1 insertions, 3 deletions
diff --git a/mm/slub.c b/mm/slub.c
index 3efcdc02082c..7e9e508263fb 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -5283,7 +5283,7 @@ static int sysfs_slab_add(struct kmem_cache *s)
s->kobj.kset = cache_kset(s);
err = kobject_init_and_add(&s->kobj, &slab_ktype, NULL, "%s", name);
if (err)
- goto out_put_kobj;
+ goto out;
err = sysfs_create_group(&s->kobj, &slab_attr_group);
if (err)
@@ -5310,8 +5310,6 @@ out:
return err;
out_del_kobj:
kobject_del(&s->kobj);
-out_put_kobj:
- kobject_put(&s->kobj);
goto out;
}