From: Yufen Yu yuyufen@huawei.com
hulk inclusion category: bugfix bugzilla: 30109 CVE: NA ---------------------------
When device_add() fail, we just free rcu_dev and forget kobj->name. Using put_devcie to free both of rcu_dev and kobj->name.
Fixes: 5ca4579ae59b ("bdi: fix use-after-free for the bdi device") Signed-off-by: Yufen Yu yuyufen@huawei.com Reviewed-by: Hou Tao houtao1@huawei.com Signed-off-by: Yang Yingliang yangyingliang@huawei.com --- mm/backing-dev.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/mm/backing-dev.c b/mm/backing-dev.c index 040d778..75a6117 100644 --- a/mm/backing-dev.c +++ b/mm/backing-dev.c @@ -921,7 +921,7 @@ int bdi_register_va(struct backing_dev_info *bdi, const char *fmt, va_list args) return 0;
error: - kfree(rcu_dev); + put_device(&rcu_dev->dev); return retval; } EXPORT_SYMBOL(bdi_register_va); @@ -974,12 +974,12 @@ static void bdi_put_device_rcu(struct rcu_head *rcu) void bdi_unregister(struct backing_dev_info *bdi) { /* make sure nobody finds us on the bdi_list anymore */ - struct rcu_device *rcu_dev = bdi->rcu_dev; bdi_remove_from_list(bdi); wb_shutdown(&bdi->wb); cgwb_bdi_unregister(bdi);
if (bdi->dev) { + struct rcu_device *rcu_dev = bdi->rcu_dev; bdi_debug_unregister(bdi); get_device(bdi->dev); device_unregister(bdi->dev);