Patch "kernel/relay.c: revert "kernel/relay.c: fix potential memory leak"" has been added to the 4.9-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

This is a note to let you know that I've just added the patch titled

    kernel/relay.c: revert "kernel/relay.c: fix potential memory leak"

to the 4.9-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     kernel-relay.c-revert-kernel-relay.c-fix-potential-memory-leak.patch
and it can be found in the queue-4.9 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From a1be1f3931bfe0a42b46fef77a04593c2b136e7f Mon Sep 17 00:00:00 2001
From: Eric Biggers <ebiggers@xxxxxxxxxx>
Date: Tue, 6 Feb 2018 15:40:24 -0800
Subject: kernel/relay.c: revert "kernel/relay.c: fix potential memory leak"

From: Eric Biggers <ebiggers@xxxxxxxxxx>

commit a1be1f3931bfe0a42b46fef77a04593c2b136e7f upstream.

This reverts commit ba62bafe942b ("kernel/relay.c: fix potential memory leak").

This commit introduced a double free bug, because 'chan' is already
freed by the line:

    kref_put(&chan->kref, relay_destroy_channel);

This bug was found by syzkaller, using the BLKTRACESETUP ioctl.

Link: http://lkml.kernel.org/r/20180127004759.101823-1-ebiggers3@xxxxxxxxx
Fixes: ba62bafe942b ("kernel/relay.c: fix potential memory leak")
Signed-off-by: Eric Biggers <ebiggers@xxxxxxxxxx>
Reported-by: syzbot <syzkaller@xxxxxxxxxxxxxxxx>
Reviewed-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
Cc: Zhouyi Zhou <yizhouzhou@xxxxxxxxx>
Cc: Jens Axboe <axboe@xxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
Signed-off-by: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

---
 kernel/relay.c |    1 -
 1 file changed, 1 deletion(-)

--- a/kernel/relay.c
+++ b/kernel/relay.c
@@ -611,7 +611,6 @@ free_bufs:
 
 	kref_put(&chan->kref, relay_destroy_channel);
 	mutex_unlock(&relay_channels_mutex);
-	kfree(chan);
 	return NULL;
 }
 EXPORT_SYMBOL_GPL(relay_open);


Patches currently in stable-queue which might be from ebiggers@xxxxxxxxxx are

queue-4.9/pipe-fix-off-by-one-error-when-checking-buffer-limits.patch
queue-4.9/crypto-cryptd-pass-through-absence-of-setkey.patch
queue-4.9/pipe-actually-allow-root-to-exceed-the-pipe-buffer-limits.patch
queue-4.9/kernel-relay.c-revert-kernel-relay.c-fix-potential-memory-leak.patch
queue-4.9/nfs-reject-request-for-id_legacy-key-without-auxdata.patch
queue-4.9/crypto-poly1305-remove-setkey-method.patch
queue-4.9/crypto-sha512-mb-initialize-pending-lengths-correctly.patch
queue-4.9/crypto-hash-introduce-crypto_hash_alg_has_setkey.patch
queue-4.9/crypto-mcryptd-pass-through-absence-of-setkey.patch
[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]