From: zhangyue zhangyue1@kylinos.cn
mainline inclusion from mainline-v5.16-rc5 commit 07641b5f32f6991758b08da9b1f4173feeb64f2a category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I63WZE
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
In driver/md/md.c, if the function autorun_array() is called, the problem of double free may occur.
In function autorun_array(), when the function do_md_run() returns an error, the function do_md_stop() will be called.
The function do_md_run() called function md_run(), but in function md_run(), the pointer mddev->private may be freed.
The function do_md_stop() called the function __md_stop(), but in function __md_stop(), the pointer mddev->private also will be freed without judging null.
At this time, the pointer mddev->private will be double free, so it needs to be judged null or not.
Signed-off-by: zhangyue zhangyue1@kylinos.cn Signed-off-by: Song Liu songliubraving@fb.com Signed-off-by: Li Nan linan122@huawei.com --- drivers/md/md.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/md/md.c b/drivers/md/md.c index f52ce85c6561..db2a535f5c71 100644 --- a/drivers/md/md.c +++ b/drivers/md/md.c @@ -6363,7 +6363,8 @@ static void __md_stop(struct mddev *mddev) spin_lock(&mddev->lock); mddev->pers = NULL; spin_unlock(&mddev->lock); - pers->free(mddev, mddev->private); + if (mddev->private) + pers->free(mddev, mddev->private); mddev->private = NULL; if (pers->sync_request && mddev->to_remove == NULL) mddev->to_remove = &md_redundancy_group;