Re: [PATCH 3/5 v2] load_imsm_mpb: fix double free

Coly Li <colyli@xxxxxxx> · Sat, 3 Sep 2022 16:38:56 +0800

> 2022年8月2日 10:16，Wu Guanghao <wuguanghao3@xxxxxxxxxx> 写道：
> 
> When free(super->buf) but not set super->buf = NULL, will be double free
> 
> get_super_block
>        err = load_and_parse_mpb
>                load_imsm_mpb(.., s, ..)
>                        if (posix_memalign(&super->buf, MAX_SECTOR_SIZE, super->len) != 0) // true, super->buf != NULL
>                        if (posix_memalign(&super->migr_rec_buf, MAX_SECTOR_SIZE,); // false
>                                free(super->buf); //but super->buf not set NULL
>                                return 2;
> 
>        if err ! = 0
>                if (s)
>                        free_imsm(s)
>                                 __free_imsm(s)
>                                        if (s)
>                                                free(s->buf); //double free
> 
> Signed-off-by: Wu Guanghao <wuguanghao3@xxxxxxxxxx>
> Reviewed-by: Mariusz Tkaczyk <mariusz.tkaczyk@xxxxxxxxxxxxxxx>

Acked-by: Coly Li <colyli@xxxxxxx>

Thanks.

Coly Li

> ---
> super-intel.c | 1 +
> 1 file changed, 1 insertion(+)
> 
> diff --git a/super-intel.c b/super-intel.c
> index 4ddfcf94..ddbdd3e1 100644
> --- a/super-intel.c
> +++ b/super-intel.c
> @@ -4510,6 +4510,7 @@ static int load_imsm_mpb(int fd, struct intel_super *super, char *devname)
>            MIGR_REC_BUF_SECTORS*MAX_SECTOR_SIZE) != 0) {
>                pr_err("could not allocate migr_rec buffer\n");
>                free(super->buf);
> +               super->buf = NULL;
>                return 2;
>        }
>        super->clean_migration_record_by_mdmon = 0;
> --
> 2.27.0