| Message ID | 4ded262a-9313-d328-a3e1-fca56210bf62@huawei.com (mailing list archive) |
|---|---|
| State | Superseded, archived |
| Delegated to: | Jes Sorensen |
| Headers | show |
| Series | mdadm: fix memory leak and double free | expand |
On Tue, 31 May 2022 14:50:19 +0800 Wu Guanghao <wuguanghao3@huawei.com> wrote: > When free(super->buf) but not set super->buf = NULL, will be double free > > get_super_block > err = load_and_parse_mpb > load_imsm_mpb(.., s, ..) > if (posix_memalign(&super->buf, MAX_SECTOR_SIZE, > super->len) != 0) // true, super->buf != NULL if > (posix_memalign(&super->migr_rec_buf, MAX_SECTOR_SIZE,); // false > free(super->buf); //but super->buf not set NULL return 2; > > if err ! = 0 > if (s) > free_imsm(s) > __free_imsm(s) > if (s) > free(s->buf); //double free > > Signed-off-by: Wu Guanghao <wuguanghao3@huawei.com> > --- > super-intel.c | 1 - > 1 file changed, 1 deletion(-) > > diff --git a/super-intel.c b/super-intel.c > index ba3bd41f..ef21ffba 100644 > --- a/super-intel.c > +++ b/super-intel.c > @@ -4452,7 +4452,6 @@ static int load_imsm_mpb(int fd, struct intel_super > *super, char *devname) if (posix_memalign(&super->migr_rec_buf, > MAX_SECTOR_SIZE, MIGR_REC_BUF_SECTORS*MAX_SECTOR_SIZE) != 0) { > pr_err("could not allocate migr_rec buffer\n"); > - free(super->buf); > return 2; > } > super->clean_migration_record_by_mdmon = 0; On error, we should possibly clean-up ourselves so I would expect from load_imsm_mpb() to free super->buf in case when error occurs and set it to NULL, especially that __free_imsm handles it. Thanks, Mariusz
diff --git a/super-intel.c b/super-intel.c index ba3bd41f..ef21ffba 100644 --- a/super-intel.c +++ b/super-intel.c @@ -4452,7 +4452,6 @@ static int load_imsm_mpb(int fd, struct intel_super *super, char *devname) if (posix_memalign(&super->migr_rec_buf, MAX_SECTOR_SIZE, MIGR_REC_BUF_SECTORS*MAX_SECTOR_SIZE) != 0) { pr_err("could not allocate migr_rec buffer\n"); - free(super->buf); return 2; } super->clean_migration_record_by_mdmon = 0;
When free(super->buf) but not set super->buf = NULL, will be double free get_super_block err = load_and_parse_mpb load_imsm_mpb(.., s, ..) if (posix_memalign(&super->buf, MAX_SECTOR_SIZE, super->len) != 0) // true, super->buf != NULL if (posix_memalign(&super->migr_rec_buf, MAX_SECTOR_SIZE,); // false free(super->buf); //but super->buf not set NULL return 2; if err ! = 0 if (s) free_imsm(s) __free_imsm(s) if (s) free(s->buf); //double free Signed-off-by: Wu Guanghao <wuguanghao3@huawei.com> --- super-intel.c | 1 - 1 file changed, 1 deletion(-)