From: Chen Jun <chenjun102@huawei.com> hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I64Y5Y CVE: NA ------------------------------- If local_group_add_task fails in init_local_group. ida free the same id twice. init_local_group local_group_add_task // failed goto free_spg free_spg: free_sp_group_locked free_sp_group_id // free spg->id free_spg_id: free_new_spg_id // double free spg->id To fix it, return before calling free_new_spg_id. Signed-off-by: Chen Jun <chenjun102@huawei.com> Signed-off-by: Guo Mengqi <guomengqi3@huawei.com> Reviewed-by: chenweilong <chenweilong@huawei.com> Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com> --- mm/share_pool.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/mm/share_pool.c b/mm/share_pool.c index 41ed3a3b8682..d2591c73a503 100644 --- a/mm/share_pool.c +++ b/mm/share_pool.c @@ -301,8 +301,8 @@ static int init_local_group(struct mm_struct *mm) spg = create_spg(spg_id, 0); if (IS_ERR(spg)) { - ret = PTR_ERR(spg); - goto free_spg_id; + free_new_spg_id(true, spg_id); + return PTR_ERR(spg); } master->local = spg; @@ -322,11 +322,9 @@ static int init_local_group(struct mm_struct *mm) return 0; free_spg: + /* spg_id is freed in free_sp_group_locked */ free_sp_group_locked(spg); master->local = NULL; -free_spg_id: - free_new_spg_id(true, spg_id); - return ret; } -- 2.25.1