In virtio_fs_get_tree, fm is allocated by kzalloc() and
assigned to fsc->s_fs_info by fsc->s_fs_info=fm statement.
If the kzalloc() failed, it will goto err directly, so that
fsc->s_fs_info must be non-NULL and fm will be freed.
But later fm is freed again when virtio_fs_fill_super() fialed.
I think the statement if (fsc->s_fs_info) {kfree(fm);} is
misplaced.
My patch puts this statement in the correct palce to avoid
double free.
Signed-off-by: Lv Yunlong <lyl2019@xxxxxxxxxxxxxxxx>
---
fs/fuse/virtio_fs.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/fs/fuse/virtio_fs.c b/fs/fuse/virtio_fs.c
index 8868ac31a3c0..727cf436828f 100644
--- a/fs/fuse/virtio_fs.c
+++ b/fs/fuse/virtio_fs.c
@@ -1437,10 +1437,7 @@ static int virtio_fs_get_tree(struct fs_context *fsc)
fsc->s_fs_info = fm;
sb = sget_fc(fsc, virtio_fs_test_super, set_anon_super_fc);
- if (fsc->s_fs_info) {
- fuse_conn_put(fc);
- kfree(fm);
- }
+
if (IS_ERR(sb))
return PTR_ERR(sb);
@@ -1457,6 +1454,11 @@ static int virtio_fs_get_tree(struct fs_context *fsc)
sb->s_flags |= SB_ACTIVE;
}
+ if (fsc->s_fs_info) {
+ fuse_conn_put(fc);
+ kfree(fm);
+ }
+
WARN_ON(fsc->root);
fsc->root = dget(sb->s_root);
return 0;
--
2.25.1
