From: André Goddard Rosa Date: Tue, 11 May 2010 21:07:03 +0000 (-0700) Subject: mqueue: fix kernel BUG caused by double free() on mq_open() X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=a3ed2a15719219769bb095b28009c1d654a419e8;p=GitHub%2Fmoto-9609%2Fandroid_kernel_motorola_exynos9610.git mqueue: fix kernel BUG caused by double free() on mq_open() In case of aborting because we reach the maximum amount of memory which can be allocated to message queues per user (RLIMIT_MSGQUEUE), we would try to free the message area twice when bailing out: first by the error handling code itself, and then later when cleaning up the inode through delete_inode(). Signed-off-by: André Goddard Rosa Cc: Alexey Dobriyan Cc: Al Viro Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- diff --git a/ipc/mqueue.c b/ipc/mqueue.c index 722b0130aa94..59a009dc54a8 100644 --- a/ipc/mqueue.c +++ b/ipc/mqueue.c @@ -158,7 +158,7 @@ static struct inode *mqueue_get_inode(struct super_block *sb, u->mq_bytes + mq_bytes > task_rlimit(p, RLIMIT_MSGQUEUE)) { spin_unlock(&mq_lock); - kfree(info->messages); + /* mqueue_delete_inode() releases info->messages */ goto out_inode; } u->mq_bytes += mq_bytes;