On Thu, 9 Jun 2022 11:07:56 +0800
Wu Guanghao <wuguanghao3@xxxxxxxxxx> wrote:
> When free(super->buf) but not set super->buf = NULL, will be double free.
>
> get_super_block
> err = load_and_parse_mpb
> load_imsm_mpb(.., s, ..)
> if (posix_memalign(&super->buf, MAX_SECTOR_SIZE,
> super->len) != 0) // true, super->buf != NULL if
> (posix_memalign(&super->migr_rec_buf, MAX_SECTOR_SIZE,); // false
> free(super->buf); //but super->buf not set NULL return 2;
>
> if err ! = 0
> if (s)
> free_imsm(s)
> __free_imsm(s)
> if (s)
> free(s->buf); //double free
>
> Signed-off-by: Wu Guanghao <wuguanghao3@xxxxxxxxxx>
> ---
> super-intel.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/super-intel.c b/super-intel.c
> index ba3bd41f..ee9e112e 100644
> --- a/super-intel.c
> +++ b/super-intel.c
> @@ -4453,6 +4453,7 @@ static int load_imsm_mpb(int fd, struct intel_super
> *super, char *devname) MIGR_REC_BUF_SECTORS*MAX_SECTOR_SIZE) != 0) {
> pr_err("could not allocate migr_rec buffer\n");
> free(super->buf);
> + super->buf = NULL;
> return 2;
> }
> super->clean_migration_record_by_mdmon = 0;
> --
> 2.27.0
Reviewed-by: Mariusz Tkaczyk <mariusz.tkaczyk@xxxxxxxxxxxxxxx>
