From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932880AbdKGAB2 (ORCPT ); Mon, 6 Nov 2017 19:01:28 -0500 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:52701 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932813AbdKFXyi (ORCPT ); Mon, 6 Nov 2017 18:54:38 -0500 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "David S. Miller" , "Nikolay Aleksandrov" Date: Mon, 06 Nov 2017 23:03:02 +0000 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) Subject: [PATCH 3.16 177/294] sch_fq_codel: avoid double free on init failure In-Reply-To: X-SA-Exim-Connect-IP: 2a02:8011:400e:2:6f00:88c8:c921:d332 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.50-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Nikolay Aleksandrov commit 30c31d746d0eb458ae327f522bc8e4c44cbea0f0 upstream. It is very unlikely to happen but the backlogs memory allocation could fail and will free q->flows, but then ->destroy() will free q->flows too. For correctness remove the first free and let ->destroy clean up. Fixes: 87b60cfacf9f ("net_sched: fix error recovery at qdisc creation") Signed-off-by: Nikolay Aleksandrov Signed-off-by: David S. Miller [bwh: Backported to 3.16: fq_codel used different alloc/free functions] Signed-off-by: Ben Hutchings --- net/sched/sch_fq_codel.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) --- a/net/sched/sch_fq_codel.c +++ b/net/sched/sch_fq_codel.c @@ -411,10 +411,8 @@ static int fq_codel_init(struct Qdisc *s if (!q->flows) return -ENOMEM; q->backlogs = fq_codel_zalloc(q->flows_cnt * sizeof(u32)); - if (!q->backlogs) { - fq_codel_free(q->flows); + if (!q->backlogs) return -ENOMEM; - } for (i = 0; i < q->flows_cnt; i++) { struct fq_codel_flow *flow = q->flows + i;