| Message ID | 20190919064045.23193-1-honli@redhat.com (mailing list archive) |
|---|---|
| State | Accepted |
| Delegated to: | Leon Romanovsky |
| Headers | show |
| Series | [rdma-core] srp_daemon: fix a double free segment fault for ibsrpdm | expand |
On 9/18/19 11:40 PM, Honggang LI wrote: > diff --git a/srp_daemon/srp_daemon.c b/srp_daemon/srp_daemon.c > index 337b21c7..f0bcf923 100644 > --- a/srp_daemon/srp_daemon.c > +++ b/srp_daemon/srp_daemon.c > @@ -727,6 +727,7 @@ end: > if (ret) { > free(*ibport); > free(*ibdev); > + *ibdev = NULL; > } > free(class_dev_path); Reviewed-by: Bart Van Assche <bvanassche@acm.org>
On Thu, Sep 19, 2019 at 02:40:45PM +0800, Honggang LI wrote: > From: Honggang Li <honli@redhat.com> > > Command: ./ibsrpdm -d /dev/infiniband/umadX > > Invalid free() / delete / delete[] / realloc() > at 0x4C320DC: free (vg_replace_malloc.c:540) > by 0x403BBB: free_config (srp_daemon.c:1811) > by 0x4031BE: ibsrpdm (srp_daemon.c:2113) > by 0x4031BE: main (srp_daemon.c:2153) > Address 0x5ee5fd0 is 0 bytes inside a block of size 16 free'd > at 0x4C320DC: free (vg_replace_malloc.c:540) > by 0x404851: translate_umad_to_ibdev_and_port (srp_daemon.c:729) > by 0x404851: set_conf_dev_and_port (srp_daemon.c:1586) > by 0x403171: ibsrpdm (srp_daemon.c:2092) > by 0x403171: main (srp_daemon.c:2153) > Block was alloc'd at > at 0x4C30EDB: malloc (vg_replace_malloc.c:309) > by 0x40478D: translate_umad_to_ibdev_and_port (srp_daemon.c:698) > by 0x40478D: set_conf_dev_and_port (srp_daemon.c:1586) > by 0x403171: ibsrpdm (srp_daemon.c:2092) > by 0x403171: main (srp_daemon.c:2153) > > Signed-off-by: Honggang Li <honli@redhat.com> > --- > srp_daemon/srp_daemon.c | 1 + > 1 file changed, 1 insertion(+) Queued, https://github.com/linux-rdma/rdma-core/pull/585 Thanks
diff --git a/srp_daemon/srp_daemon.c b/srp_daemon/srp_daemon.c index 337b21c7..f0bcf923 100644 --- a/srp_daemon/srp_daemon.c +++ b/srp_daemon/srp_daemon.c @@ -727,6 +727,7 @@ end: if (ret) { free(*ibport); free(*ibdev); + *ibdev = NULL; } free(class_dev_path);