| Message ID | 20181224054556.32167-1-xiyou.wangcong@gmail.com |
|---|---|
| State | Accepted, archived |
| Delegated to: | David Miller |
| Headers | show |
| Series | [net] tipc: fix a double free in tipc_enable_bearer() | expand |
From: Cong Wang <xiyou.wangcong@gmail.com> Date: Sun, 23 Dec 2018 21:45:56 -0800 > bearer_disable() already calls kfree_rcu() to free struct tipc_bearer, > we don't need to call kfree() again. > > Fixes: cb30a63384bc ("tipc: refactor function tipc_enable_bearer()") > Reported-by: syzbot+b981acf1fb240c0c128b@syzkaller.appspotmail.com > Cc: Ying Xue <ying.xue@windriver.com> > Cc: Jon Maloy <jon.maloy@ericsson.com> > Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> Applied and queued up for -stable, thanks Cong.
diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c index fb2c0d8f359f..d27f30a9a01d 100644 --- a/net/tipc/bearer.c +++ b/net/tipc/bearer.c @@ -319,7 +319,6 @@ static int tipc_enable_bearer(struct net *net, const char *name, res = tipc_disc_create(net, b, &b->bcast_addr, &skb); if (res) { bearer_disable(net, b); - kfree(b); errstr = "failed to create discoverer"; goto rejected; }
bearer_disable() already calls kfree_rcu() to free struct tipc_bearer, we don't need to call kfree() again. Fixes: cb30a63384bc ("tipc: refactor function tipc_enable_bearer()") Reported-by: syzbot+b981acf1fb240c0c128b@syzkaller.appspotmail.com Cc: Ying Xue <ying.xue@windriver.com> Cc: Jon Maloy <jon.maloy@ericsson.com> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> --- net/tipc/bearer.c | 1 - 1 file changed, 1 deletion(-)