devpts: fix double-free on mount failure

devpts_kill_sb() is called even if devpts_fill_super() fails; we should not do that kfree() in the latter, especially not with ->s_fs_info left pointing to freed object. Double kfree() is a Bad Thing(tm)... Signed-off-by: Al Viro <[email protected]>
rtvt123 · Jan 9, 2012 · 3850aba · 3850aba
1 parent 87da5b3
commit 3850aba
Showing 1 changed file with 1 addition and 3 deletions.
diff --git a/fs/devpts/inode.c b/fs/devpts/inode.c
@@ -301,7 +301,7 @@ devpts_fill_super(struct super_block *s, void *data, int silent)
 
 	inode = new_inode(s);
 	if (!inode)
-		goto free_fsi;
+		goto fail;
 	inode->i_ino = 1;
 	inode->i_mtime = inode->i_atime = inode->i_ctime = CURRENT_TIME;
 	inode->i_mode = S_IFDIR | S_IRUGO | S_IXUGO | S_IWUSR;
@@ -316,8 +316,6 @@ devpts_fill_super(struct super_block *s, void *data, int silent)
 	printk(KERN_ERR "devpts: get root dentry failed\n");
 	iput(inode);
 
-free_fsi:
-	kfree(s->s_fs_info);
 fail:
 	return -ENOMEM;
 }