From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 28 Jan 2021 21:19:04 +0000 (+0100)
Subject: 4.19-stable patches
X-Git-Tag: v4.4.254~20
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=17c0bbe86aaea8c45dacb6a89d39b7c95b47dae8;p=thirdparty%2Fkernel%2Fstable-queue.git

4.19-stable patches

added patches:
	revert-mm-slub-fix-a-memory-leak-in-sysfs_slab_add.patch
---

diff --git a/queue-4.19/revert-mm-slub-fix-a-memory-leak-in-sysfs_slab_add.patch b/queue-4.19/revert-mm-slub-fix-a-memory-leak-in-sysfs_slab_add.patch
new file mode 100644
index 00000000000..a9ba18187a2
--- /dev/null
+++ b/queue-4.19/revert-mm-slub-fix-a-memory-leak-in-sysfs_slab_add.patch
@@ -0,0 +1,57 @@
+From 757fed1d0898b893d7daa84183947c70f27632f3 Mon Sep 17 00:00:00 2001
+From: Wang Hai <wanghai38@huawei.com>
+Date: Thu, 28 Jan 2021 19:32:50 +0800
+Subject: Revert "mm/slub: fix a memory leak in sysfs_slab_add()"
+
+From: Wang Hai <wanghai38@huawei.com>
+
+commit 757fed1d0898b893d7daa84183947c70f27632f3 upstream.
+
+This reverts commit dde3c6b72a16c2db826f54b2d49bdea26c3534a2.
+
+syzbot report a double-free bug. The following case can cause this bug.
+
+ - mm/slab_common.c: create_cache(): if the __kmem_cache_create() fails,
+   it does:
+
+	out_free_cache:
+		kmem_cache_free(kmem_cache, s);
+
+ - but __kmem_cache_create() - at least for slub() - will have done
+
+	sysfs_slab_add(s)
+		-> sysfs_create_group() .. fails ..
+		-> kobject_del(&s->kobj); .. which frees s ...
+
+We can't remove the kmem_cache_free() in create_cache(), because other
+error cases of __kmem_cache_create() do not free this.
+
+So, revert the commit dde3c6b72a16 ("mm/slub: fix a memory leak in
+sysfs_slab_add()") to fix this.
+
+Reported-by: syzbot+d0bd96b4696c1ef67991@syzkaller.appspotmail.com
+Fixes: dde3c6b72a16 ("mm/slub: fix a memory leak in sysfs_slab_add()")
+Acked-by: Vlastimil Babka <vbabka@suse.cz>
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/slub.c |    4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/mm/slub.c
++++ b/mm/slub.c
+@@ -5766,10 +5766,8 @@ static int sysfs_slab_add(struct kmem_ca
+ 
+ 	s->kobj.kset = kset;
+ 	err = kobject_init_and_add(&s->kobj, &slab_ktype, NULL, "%s", name);
+-	if (err) {
+-		kobject_put(&s->kobj);
++	if (err)
+ 		goto out;
+-	}
+ 
+ 	err = sysfs_create_group(&s->kobj, &slab_attr_group);
+ 	if (err)
diff --git a/queue-4.19/series b/queue-4.19/series
index c3bb9745d1f..2f6eb4bbd98 100644
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -10,3 +10,4 @@ futex_Add_mutex_around_futex_exit.patch
 futex_Provide_distinct_return_value_when_owner_is_exiting.patch
 futex_Prevent_exit_livelock.patch
 gpio-mvebu-fix-pwm-.get_state-period-calculation.patch
+revert-mm-slub-fix-a-memory-leak-in-sysfs_slab_add.patch