summaryrefslogtreecommitdiff
path: root/crypto/authenc.c
diff options
context:
space:
mode:
authorShakeel Butt <shakeelb@google.com>2020-09-26 07:13:41 -0700
committerLinus Torvalds <torvalds@linux-foundation.org>2020-09-26 10:15:01 -0700
commit678ff6a7afccc43d352c1b8c94b6d8c0ee1464ad (patch)
tree5e8da2d0d8687dc174f0987e8bd29a82e3ba73cd /crypto/authenc.c
parent7c7ec3226f5f33f9c050d85ec20f18419c622ad6 (diff)
mm: slab: fix potential double free in ___cache_free
With the commit 10befea91b61 ("mm: memcg/slab: use a single set of kmem_caches for all allocations"), it becomes possible to call kfree() from the slabs_destroy(). The functions cache_flusharray() and do_drain() calls slabs_destroy() on array_cache of the local CPU without updating the size of the array_cache. This enables the kfree() call from the slabs_destroy() to recursively call cache_flusharray() which can potentially call free_block() on the same elements of the array_cache of the local CPU and causing double free and memory corruption. To fix the issue, simply update the local CPU array_cache cache before calling slabs_destroy(). Fixes: 10befea91b61 ("mm: memcg/slab: use a single set of kmem_caches for all allocations") Signed-off-by: Shakeel Butt <shakeelb@google.com> Reviewed-by: Roman Gushchin <guro@fb.com> Tested-by: Ming Lei <ming.lei@redhat.com> Reported-by: kernel test robot <rong.a.chen@intel.com> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Ted Ts'o <tytso@mit.edu> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'crypto/authenc.c')
0 files changed, 0 insertions, 0 deletions