From: Tiezhu Yang <yangtiezhu@xxxxxxxxxxx> Subject: test_kmod: avoid potential double free in trigger_config_run_type() Reset the member "test_fs" of the test configuration after a call of the function "kfree_const" to a null pointer so that a double memory release will not be performed. Link: http://lkml.kernel.org/r/20200610154923.27510-4-mcgrof@xxxxxxxxxx Fixes: d9c6a72d6fa2 ("kmod: add test driver to stress test the module loader") Signed-off-by: Tiezhu Yang <yangtiezhu@xxxxxxxxxxx> Signed-off-by: Luis Chamberlain <mcgrof@xxxxxxxxxx> Acked-by: Luis Chamberlain <mcgrof@xxxxxxxxxx> Cc: Alexei Starovoitov <ast@xxxxxxxxxx> Cc: Al Viro <viro@xxxxxxxxxxxxxxxxxx> Cc: Christian Brauner <christian.brauner@xxxxxxxxxx> Cc: Chuck Lever <chuck.lever@xxxxxxxxxx> Cc: David Howells <dhowells@xxxxxxxxxx> Cc: David S. Miller <davem@xxxxxxxxxxxxx> Cc: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> Cc: Jakub Kicinski <kuba@xxxxxxxxxx> Cc: James Morris <jmorris@xxxxxxxxx> Cc: Jarkko Sakkinen <jarkko.sakkinen@xxxxxxxxxxxxxxx> Cc: J. Bruce Fields <bfields@xxxxxxxxxxxx> Cc: Jens Axboe <axboe@xxxxxxxxx> Cc: Josh Triplett <josh@xxxxxxxxxxxxxxxx> Cc: Kees Cook <keescook@xxxxxxxxxxxx> Cc: Lars Ellenberg <lars.ellenberg@xxxxxxxxxx> Cc: Nikolay Aleksandrov <nikolay@xxxxxxxxxxxxxxxxxxx> Cc: Philipp Reisner <philipp.reisner@xxxxxxxxxx> Cc: Roopa Prabhu <roopa@xxxxxxxxxxxxxxxxxxx> Cc: "Serge E. Hallyn" <serge@xxxxxxxxxx> Cc: Sergei Trofimovich <slyfox@xxxxxxxxxx> Cc: Sergey Kvachonok <ravenexp@xxxxxxxxx> Cc: Shuah Khan <shuah@xxxxxxxxxx> Cc: Tony Vroon <chainsaw@xxxxxxxxxx> Cc: Christoph Hellwig <hch@xxxxxxxxxxxxx> Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> --- lib/test_kmod.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/lib/test_kmod.c~test_kmod-avoid-potential-double-free-in-trigger_config_run_type +++ a/lib/test_kmod.c @@ -745,7 +745,7 @@ static int trigger_config_run_type(struc break; case TEST_KMOD_FS_TYPE: kfree_const(config->test_fs); - config->test_driver = NULL; + config->test_fs = NULL; copied = config_copy_test_fs(config, test_str, strlen(test_str)); break; _