From: Al Viro Date: Mon, 9 Jan 2012 00:40:27 +0000 (-0500) Subject: devpts: fix double-free on mount failure X-Git-Tag: firefly_0821_release~3680^2~3784^2~7 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=3850aba74873aa47fefe6900b99f42f5e656a6e7;p=firefly-linux-kernel-4.4.55.git devpts: fix double-free on mount failure devpts_kill_sb() is called even if devpts_fill_super() fails; we should not do that kfree() in the latter, especially not with ->s_fs_info left pointing to freed object. Double kfree() is a Bad Thing(tm)... Signed-off-by: Al Viro --- diff --git a/fs/devpts/inode.c b/fs/devpts/inode.c index 79673eb71151..c4e2a58a2e82 100644 --- a/fs/devpts/inode.c +++ b/fs/devpts/inode.c @@ -301,7 +301,7 @@ devpts_fill_super(struct super_block *s, void *data, int silent) inode = new_inode(s); if (!inode) - goto free_fsi; + goto fail; inode->i_ino = 1; inode->i_mtime = inode->i_atime = inode->i_ctime = CURRENT_TIME; inode->i_mode = S_IFDIR | S_IRUGO | S_IXUGO | S_IWUSR; @@ -316,8 +316,6 @@ devpts_fill_super(struct super_block *s, void *data, int silent) printk(KERN_ERR "devpts: get root dentry failed\n"); iput(inode); -free_fsi: - kfree(s->s_fs_info); fail: return -ENOMEM; }