mm: shrinkers: fix double kfree on shrinker name

syzbot is reporting double kfree() at free_prealloced_shrinker() [1], for
destroy_unused_super() calls free_prealloced_shrinker() even if
prealloc_shrinker() returned an error.  Explicitly clear shrinker name
when prealloc_shrinker() called kfree().

Link: https://syzkaller.appspot.com/bug?extid=8b481578352d4637f510
Link: https://lkml.kernel.org/r/ffa62ece-6a42-2644-16cf-0d33ef32c676@I-love.SAKURA.ne.jp
Fixes: e33c267ab70de424 ("mm: shrinkers: provide shrinkers with names")
Reported-by: syzbot <syzbot+8b481578352d4637f510@syzkaller.appspotmail.com>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Acked-by: Roman Gushchin <roman.gushchin@linux.dev>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

diff --git a/mm/vmscan.c b/mm/vmscan.c
index f58761cea0a0609b0dab9d0a5e19f82ee7ed88d3..f8d97b905f210fbcd243983de096dfb2c06730fa 100644 (file)
--- a/mm/vmscan.c
+++ b/mm/vmscan.c
@@ -704,8 +704,10 @@ int register_shrinker(struct shrinker *shrinker, const char *fmt, ...)
                return -ENOMEM;
 
        err = __register_shrinker(shrinker);
-       if (err)
+       if (err) {
                kfree_const(shrinker->name);
+               shrinker->name = NULL;
+       }
        return err;
 }
 #else