When free(super->buf) but not set super->buf = NULL, will be double free
get_super_block
err = load_and_parse_mpb
load_imsm_mpb(.., s, ..)
if (posix_memalign(&super->buf, MAX_SECTOR_SIZE, super->len) != 0) // true, super->buf != NULL
if (posix_memalign(&super->migr_rec_buf, MAX_SECTOR_SIZE,); // false
free(super->buf); //but super->buf not set NULL
return 2;
if err ! = 0
if (s)
free_imsm(s)
__free_imsm(s)
if (s)
free(s->buf); //double free
Signed-off-by: Wu Guanghao <wuguanghao3@xxxxxxxxxx>
---
super-intel.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/super-intel.c b/super-intel.c
index ba3bd41f..ef21ffba 100644
--- a/super-intel.c
+++ b/super-intel.c
@@ -4452,7 +4452,6 @@ static int load_imsm_mpb(int fd, struct intel_super *super, char *devname)
if (posix_memalign(&super->migr_rec_buf, MAX_SECTOR_SIZE,
MIGR_REC_BUF_SECTORS*MAX_SECTOR_SIZE) != 0) {
pr_err("could not allocate migr_rec buffer\n");
- free(super->buf);
return 2;
}
super->clean_migration_record_by_mdmon = 0;
--
2.27.0
