devpts: fix double-free on mount failure
Al Viro [Mon, 9 Jan 2012 00:40:27 +0000 (19:40 -0500)]
devpts_kill_sb() is called even if devpts_fill_super() fails;
we should not do that kfree() in the latter, especially not
with ->s_fs_info left pointing to freed object.  Double kfree()
is a Bad Thing(tm)...

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

fs/devpts/inode.c

index 79673eb..c4e2a58 100644 (file)
@@ -301,7 +301,7 @@ devpts_fill_super(struct super_block *s, void *data, int silent)
 
        inode = new_inode(s);
        if (!inode)
-               goto free_fsi;
+               goto fail;
        inode->i_ino = 1;
        inode->i_mtime = inode->i_atime = inode->i_ctime = CURRENT_TIME;
        inode->i_mode = S_IFDIR | S_IRUGO | S_IXUGO | S_IWUSR;
@@ -316,8 +316,6 @@ devpts_fill_super(struct super_block *s, void *data, int silent)
        printk(KERN_ERR "devpts: get root dentry failed\n");
        iput(inode);
 
-free_fsi:
-       kfree(s->s_fs_info);
 fail:
        return -ENOMEM;
 }