There is a double free in event_read_fields(). After calling free_token()
to free the token, if append() failed, then goto fail, which will call
free_token() again. Triggered by compiling with perf and run "perf sched
record". Fix the double free by goto fail_expect instead of fail while
append() failed, which won't call redundant free_token().
BUG: double free
free(): double free detected in tcache 2
Aborted
Fixes: ae6c0749ca74 ("tools lib traceevent: Handle realloc() failure path")
Signed-off-by: Shang XiaoJing <shangxiaojing@xxxxxxxxxx>
---
src/event-parse.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/event-parse.c b/src/event-parse.c
index a0d7da5..d842f9d 100644
--- a/src/event-parse.c
+++ b/src/event-parse.c
@@ -1779,7 +1779,7 @@ static int event_read_fields(struct tep_event *event, struct tep_format_field **
ret = append(&brackets, "", "]");
if (ret < 0) {
free(brackets);
- goto fail;
+ goto fail_expect;
}
/* add brackets to type */
--
2.17.1
|