From: Kees Cook <[email protected]> Avoid using ipc_rcu_free, since it just re-finds the original structure pointer. For the pre-list-init failure path, there is no RCU needed, since it was just allocated. It can be directly freed.
Signed-off-by: Kees Cook <[email protected]> Signed-off-by: Manfred Spraul <[email protected]> --- ipc/sem.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/ipc/sem.c b/ipc/sem.c index 484ccf8..a04c4d6 100644 --- a/ipc/sem.c +++ b/ipc/sem.c @@ -258,13 +258,18 @@ static void merge_queues(struct sem_array *sma) } } +static void __sem_free(struct sem_array *sma) +{ + kvfree(sma); +} + static void sem_rcu_free(struct rcu_head *head) { struct kern_ipc_perm *p = container_of(head, struct kern_ipc_perm, rcu); struct sem_array *sma = container_of(p, struct sem_array, sem_perm); security_sem_free(sma); - ipc_rcu_free(head); + __sem_free(sma); } /* @@ -482,7 +487,7 @@ static int newary(struct ipc_namespace *ns, struct ipc_params *params) sma->sem_perm.security = NULL; retval = security_sem_alloc(sma); if (retval) { - ipc_rcu_putref(&sma->sem_perm, ipc_rcu_free); + __sem_free(sma); return retval; } -- 2.9.3
