--- /dev/null
+From 757fed1d0898b893d7daa84183947c70f27632f3 Mon Sep 17 00:00:00 2001
+From: Wang Hai <wanghai38@huawei.com>
+Date: Thu, 28 Jan 2021 19:32:50 +0800
+Subject: Revert "mm/slub: fix a memory leak in sysfs_slab_add()"
+
+From: Wang Hai <wanghai38@huawei.com>
+
+commit 757fed1d0898b893d7daa84183947c70f27632f3 upstream.
+
+This reverts commit dde3c6b72a16c2db826f54b2d49bdea26c3534a2.
+
+syzbot report a double-free bug. The following case can cause this bug.
+
+ - mm/slab_common.c: create_cache(): if the __kmem_cache_create() fails,
+ it does:
+
+ out_free_cache:
+ kmem_cache_free(kmem_cache, s);
+
+ - but __kmem_cache_create() - at least for slub() - will have done
+
+ sysfs_slab_add(s)
+ -> sysfs_create_group() .. fails ..
+ -> kobject_del(&s->kobj); .. which frees s ...
+
+We can't remove the kmem_cache_free() in create_cache(), because other
+error cases of __kmem_cache_create() do not free this.
+
+So, revert the commit dde3c6b72a16 ("mm/slub: fix a memory leak in
+sysfs_slab_add()") to fix this.
+
+Reported-by: syzbot+d0bd96b4696c1ef67991@syzkaller.appspotmail.com
+Fixes: dde3c6b72a16 ("mm/slub: fix a memory leak in sysfs_slab_add()")
+Acked-by: Vlastimil Babka <vbabka@suse.cz>
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/slub.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/mm/slub.c
++++ b/mm/slub.c
+@@ -5766,10 +5766,8 @@ static int sysfs_slab_add(struct kmem_ca
+
+ s->kobj.kset = kset;
+ err = kobject_init_and_add(&s->kobj, &slab_ktype, NULL, "%s", name);
+- if (err) {
+- kobject_put(&s->kobj);
++ if (err)
+ goto out;
+- }
+
+ err = sysfs_create_group(&s->kobj, &slab_attr_group);
+ if (err)
projects / thirdparty / kernel / stable-queue.git / commitdiff
