Skip to content

Commit

Permalink
mqueue: fix kernel BUG caused by double free() on mq_open()
Browse files Browse the repository at this point in the history 
In case of aborting because we reach the maximum amount of memory which
can be allocated to message queues per user (RLIMIT_MSGQUEUE), we would
try to free the message area twice when bailing out: first by the error
handling code itself, and then later when cleaning up the inode through
delete_inode().

Signed-off-by: André Goddard Rosa <[email protected]>
Cc: Alexey Dobriyan <[email protected]>
Cc: Al Viro <[email protected]>
Cc: <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
  • Loading branch information
@andre-rosa @torvalds
andre-rosa authored and torvalds committed May 12, 2010
1 parent de145b4 commit a3ed2a1
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion ipc/mqueue.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -158,7 +158,7 @@ static struct inode *mqueue_get_inode(struct super_block *sb,
u->mq_bytes + mq_bytes >
task_rlimit(p, RLIMIT_MSGQUEUE)) {
spin_unlock(&mq_lock);
kfree(info->messages);
/* mqueue_delete_inode() releases info->messages */
goto out_inode;
}
u->mq_bytes += mq_bytes;
Expand Down

0 comments on commit a3ed2a1

Please sign in to comment.