diff options
| author | Wu Guanghao <wuguanghao3@huawei.com> | 2023-03-04 00:21:33 +0800 |
|---|---|---|
| committer | Jes Sorensen <jes@trained-monkey.org> | 2023-03-08 13:54:30 -0500 |
| commit | 50cd06b484bb99bfacdd4f9d2f8ee5e52bfc7bd3 (patch) | |
| tree | 34b8235597550c4bd92a046c407d85ad56362ad1 | |
| parent | dac0b5121dd77bf1659b95248423445f932dfae4 (diff) | |
| download | mdadm-50cd06b484bb99bfacdd4f9d2f8ee5e52bfc7bd3.tar.gz | |
isuper-intel.c: fix double free in load_imsm_mpb()
In load_imsm_mpb() there is potential double free issue on super->buf.
The first location to free super->buf is from get_super_block() <==
load_and_parse_mpb() <== load_imsm_mpb():
4514 if (posix_memalign(&super->migr_rec_buf, MAX_SECTOR_SIZE,
4515 MIGR_REC_BUF_SECTORS*MAX_SECTOR_SIZE) != 0) {
4516 pr_err("could not allocate migr_rec buffer\n");
4517 free(super->buf);
4518 return 2;
4519 }
If the above error condition happens, super->buf is freed and value 2
is returned to get_super_block() eventually. Then in the following code
block inside load_imsm_mpb(),
5289 error:
5290 if (!err) {
5291 s->next = *super_list;
5292 *super_list = s;
5293 } else {
5294 if (s)
5295 free_imsm(s);
5296 close_fd(&dfd);
5297 }
at line 5295 when free_imsm() is called, super->buf is freed again from
the call chain free_imsm() <== __free_imsm(), in following code block,
4651 if (super->buf) {
4652 free(super->buf);
4653 super->buf = NULL;
4654 }
This patch sets super->buf as NULL after line 4517 in load_imsm_mpb()
to avoid the potential double free().
(Coly Li helps to re-compose the commit log)
Signed-off-by: Wu Guanghao <wuguanghao3@huawei.com>
Reviewed-by: Mariusz Tkaczyk <mariusz.tkaczyk@linux.intel.com>
Acked-by: Coly Li <colyli@suse.de>
Signed-off-by: Jes Sorensen <jes@trained-monkey.org>
| -rw-r--r-- | super-intel.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/super-intel.c b/super-intel.c index 89fac62..4a3da84 100644 --- a/super-intel.c +++ b/super-intel.c @@ -4515,6 +4515,7 @@ static int load_imsm_mpb(int fd, struct intel_super *super, char *devname) MIGR_REC_BUF_SECTORS*MAX_SECTOR_SIZE) != 0) { pr_err("could not allocate migr_rec buffer\n"); free(super->buf); + super->buf = NULL; return 2; } super->clean_migration_record_by_mdmon = 0; |