From: Yufen Yu <yuyufen@huawei.com> hulk inclusion category: bugfix bugzilla: 30109 CVE: NA --------------------------- When device_add() fail, we just free rcu_dev and forget kobj->name. Using put_devcie to free both of rcu_dev and kobj->name. Fixes: 5ca4579ae59b ("bdi: fix use-after-free for the bdi device") Signed-off-by: Yufen Yu <yuyufen@huawei.com> Reviewed-by: Hou Tao <houtao1@huawei.com> Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> --- mm/backing-dev.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/mm/backing-dev.c b/mm/backing-dev.c index 040d778..75a6117 100644 --- a/mm/backing-dev.c +++ b/mm/backing-dev.c @@ -921,7 +921,7 @@ int bdi_register_va(struct backing_dev_info *bdi, const char *fmt, va_list args) return 0; error: - kfree(rcu_dev); + put_device(&rcu_dev->dev); return retval; } EXPORT_SYMBOL(bdi_register_va); @@ -974,12 +974,12 @@ static void bdi_put_device_rcu(struct rcu_head *rcu) void bdi_unregister(struct backing_dev_info *bdi) { /* make sure nobody finds us on the bdi_list anymore */ - struct rcu_device *rcu_dev = bdi->rcu_dev; bdi_remove_from_list(bdi); wb_shutdown(&bdi->wb); cgwb_bdi_unregister(bdi); if (bdi->dev) { + struct rcu_device *rcu_dev = bdi->rcu_dev; bdi_debug_unregister(bdi); get_device(bdi->dev); device_unregister(bdi->dev); -- 1.8.3