From: Tang Yizhou <tangyizhou@huawei.com> ascend inclusion category: bugfix bugzilla: 46925 CVE: NA ------------------------------------------------- sp_group_add_task() may be called with a valid spg_id as input parameter. It should not be freed in abnormal branch. Reported-by: Wang Wensheng <wangwensheng4@huawei.com> Signed-off-by: Tang Yizhou <tangyizhou@huawei.com> Reviewed-by: Kefeng Wang <wangkefeng.wang@huawei.com> Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> --- mm/share_pool.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/mm/share_pool.c b/mm/share_pool.c index ac02b9d624a8..0978c32704e5 100644 --- a/mm/share_pool.c +++ b/mm/share_pool.c @@ -500,6 +500,7 @@ int sp_group_add_task(int pid, int spg_id) struct mm_struct *mm; struct sp_group *spg; int ret = 0; + bool id_newly_generated = false; struct sp_area *spa, *prev = NULL; struct sp_proc_stat *stat; @@ -538,6 +539,7 @@ int sp_group_add_task(int pid, int spg_id) "generate group id failed\n"); return spg_id; } + id_newly_generated = true; } if (spg_id == SPG_ID_DVPP_PASS_THROUGH) { @@ -550,6 +552,7 @@ int sp_group_add_task(int pid, int spg_id) "generate group id failed in DVPP pass through\n"); return spg_id; } + id_newly_generated = true; } mutex_lock(&sp_mutex); @@ -564,7 +567,8 @@ int sp_group_add_task(int pid, int spg_id) rcu_read_unlock(); if (ret) { - free_sp_group_id((unsigned int)spg_id); + if (id_newly_generated) + free_sp_group_id((unsigned int)spg_id); goto out_unlock; } @@ -581,7 +585,8 @@ int sp_group_add_task(int pid, int spg_id) spg = find_or_alloc_sp_group(spg_id); if (IS_ERR(spg)) { ret = PTR_ERR(spg); - free_sp_group_id((unsigned int)spg_id); + if (id_newly_generated) + free_sp_group_id((unsigned int)spg_id); goto out_put_mm; } -- 2.25.1