diff options
author | zhangyue <zhangyue1@kylinos.cn> | 2021-11-16 10:35:26 +0800 |
---|---|---|
committer | Song Liu <song@kernel.org> | 2021-12-10 09:11:07 -0800 |
commit | 07641b5f32f6991758b08da9b1f4173feeb64f2a (patch) | |
tree | 917fff6c999b47fd78b661b151e491da7851ed00 | |
parent | 55df1ce0d4e086e05a8ab20619c73c729350f965 (diff) | |
download | linux-07641b5f32f6991758b08da9b1f4173feeb64f2a.tar.bz2 |
md: fix double free of mddev->private in autorun_array()
In driver/md/md.c, if the function autorun_array() is called,
the problem of double free may occur.
In function autorun_array(), when the function do_md_run() returns an
error, the function do_md_stop() will be called.
The function do_md_run() called function md_run(), but in function
md_run(), the pointer mddev->private may be freed.
The function do_md_stop() called the function __md_stop(), but in
function __md_stop(), the pointer mddev->private also will be freed
without judging null.
At this time, the pointer mddev->private will be double free, so it
needs to be judged null or not.
Signed-off-by: zhangyue <zhangyue1@kylinos.cn>
Signed-off-by: Song Liu <songliubraving@fb.com>
-rw-r--r-- | drivers/md/md.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/drivers/md/md.c b/drivers/md/md.c index e97d2faf1e88..41d6e2383517 100644 --- a/drivers/md/md.c +++ b/drivers/md/md.c @@ -6271,7 +6271,8 @@ static void __md_stop(struct mddev *mddev) spin_lock(&mddev->lock); mddev->pers = NULL; spin_unlock(&mddev->lock); - pers->free(mddev, mddev->private); + if (mddev->private) + pers->free(mddev, mddev->private); mddev->private = NULL; if (pers->sync_request && mddev->to_remove == NULL) mddev->to_remove = &md_redundancy_group; |