[PATCH] dm-integrity: fix double free on memory allocation failure

Mikulas Patocka <mpatocka@xxxxxxxxxx> · Mon, 3 Jul 2023 17:12:39 +0200 (CEST)

Hi

I found a bug in one of the patches that I submitted. Here I'm submitting 
the fix. Please send it to Linus before 6.5 is released.

Mikulas


From: Mikulas Patocka <mpatocka@xxxxxxxxxx>

If the statement "recalc_tags = kvmalloc(recalc_tags_size, GFP_NOIO);"
fails, we call "vfree(recalc_buffer)" and we jump to the label "oom".

If the condition "recalc_sectors >= 1U << ic->sb->log2_sectors_per_block"
is false, we jump to the label "free_ret" and call "vfree(recalc_buffer)"
again, on an already released memory block.

This commit fixes the bug by setting "recalc_buffer = NULL" after freeing
it.

Signed-off-by: Mikulas Patocka <mpatocka@xxxxxxxxxx>
Fixes: da8b4fc1f63a ("dm integrity: only allocate recalculate buffer when needed")

---
 drivers/md/dm-integrity.c |    1 +
 1 file changed, 1 insertion(+)

Index: linux-2.6/drivers/md/dm-integrity.c
===================================================================

--- linux-2.6.orig/drivers/md/dm-integrity.c
+++ linux-2.6/drivers/md/dm-integrity.c
@@ -2691,6 +2691,7 @@ oom:
 	recalc_tags = kvmalloc(recalc_tags_size, GFP_NOIO);
 	if (!recalc_tags) {
 		vfree(recalc_buffer);
+		recalc_buffer = NULL;
 		goto oom;
 	}
 
--
dm-devel mailing list
dm-devel@xxxxxxxxxx
https://listman.redhat.com/mailman/listinfo/dm-devel







