[3/5,v2] load_imsm_mpb: fix double free

Message ID	2b2cdeac-d052-bd11-a3d6-d82d9b3fe10e@huawei.com (mailing list archive)
State	Superseded, archived
Headers	show Return-Path: <linux-raid-owner@kernel.org> Message-ID: <2b2cdeac-d052-bd11-a3d6-d82d9b3fe10e@huawei.com> Date: Tue, 2 Aug 2022 10:16:14 +0800 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.0.3 Subject: [PATCH 3/5 v2] load_imsm_mpb: fix double free From: Wu Guanghao <wuguanghao3@huawei.com> To: Jes Sorensen <jes@trained-monkey.org>, <linux-raid@vger.kernel.org>, Mariusz Tkaczyk <mariusz.tkaczyk@linux.intel.com> CC: linfeilong <linfeilong@huawei.com>, <lixiaokeng@huawei.com> References: <11b7eff6-56a0-49ee-b2fd-50b402c3dde1@huawei.com> In-Reply-To: <11b7eff6-56a0-49ee-b2fd-50b402c3dde1@huawei.com> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit Precedence: bulk
Series	mdadm: fix memory leak and double free \| expand [0/5,v2,resend] mdadm: fix memory leak and double free [1/5,v2] parse_layout_faulty: fix memleak [2/5,v2] Detail: fix memleak [3/5,v2] load_imsm_mpb: fix double free [4/5,v2] find_disk_attached_hba: fix memleak [5/5,v2] get_vd_num_of_subarray: fix memleak

Message ID

2b2cdeac-d052-bd11-a3d6-d82d9b3fe10e@huawei.com (mailing list archive)

State

Superseded, archived

Headers

Message-ID: <2b2cdeac-d052-bd11-a3d6-d82d9b3fe10e@huawei.com>
Date: Tue, 2 Aug 2022 10:16:14 +0800
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101
 Thunderbird/91.0.3
Subject: [PATCH 3/5 v2] load_imsm_mpb: fix double free
From: Wu Guanghao <wuguanghao3@huawei.com>
To: Jes Sorensen <jes@trained-monkey.org>,
        <linux-raid@vger.kernel.org>,
        Mariusz Tkaczyk <mariusz.tkaczyk@linux.intel.com>
CC: linfeilong <linfeilong@huawei.com>, <lixiaokeng@huawei.com>
References: <11b7eff6-56a0-49ee-b2fd-50b402c3dde1@huawei.com>
In-Reply-To: <11b7eff6-56a0-49ee-b2fd-50b402c3dde1@huawei.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: bulk

Series

mdadm: fix memory leak and double free | expand

Commit Message

Wu Guanghao Aug. 2, 2022, 2:16 a.m. UTC

When free(super->buf) but not set super->buf = NULL, will be double free

get_super_block
        err = load_and_parse_mpb
                load_imsm_mpb(.., s, ..)
                        if (posix_memalign(&super->buf, MAX_SECTOR_SIZE, super->len) != 0) // true, super->buf != NULL
                        if (posix_memalign(&super->migr_rec_buf, MAX_SECTOR_SIZE,); // false
                                free(super->buf); //but super->buf not set NULL
                                return 2;

        if err ! = 0
                if (s)
                        free_imsm(s)
                                 __free_imsm(s)
                                        if (s)
                                                free(s->buf); //double free

Signed-off-by: Wu Guanghao <wuguanghao3@huawei.com>
Reviewed-by: Mariusz Tkaczyk <mariusz.tkaczyk@linux.intel.com>
---
 super-intel.c | 1 +
 1 file changed, 1 insertion(+)

--
2.27.0

Comments

Coly Li Sept. 3, 2022, 8:38 a.m. UTC | #1

> 2022年8月2日 10:16，Wu Guanghao <wuguanghao3@huawei.com> 写道：
> 
> When free(super->buf) but not set super->buf = NULL, will be double free
> 
> get_super_block
>        err = load_and_parse_mpb
>                load_imsm_mpb(.., s, ..)
>                        if (posix_memalign(&super->buf, MAX_SECTOR_SIZE, super->len) != 0) // true, super->buf != NULL
>                        if (posix_memalign(&super->migr_rec_buf, MAX_SECTOR_SIZE,); // false
>                                free(super->buf); //but super->buf not set NULL
>                                return 2;
> 
>        if err ! = 0
>                if (s)
>                        free_imsm(s)
>                                 __free_imsm(s)
>                                        if (s)
>                                                free(s->buf); //double free
> 
> Signed-off-by: Wu Guanghao <wuguanghao3@huawei.com>
> Reviewed-by: Mariusz Tkaczyk <mariusz.tkaczyk@linux.intel.com>

Acked-by: Coly Li <colyli@suse.de>

Thanks.

Coly Li


> ---
> super-intel.c | 1 +
> 1 file changed, 1 insertion(+)
> 
> diff --git a/super-intel.c b/super-intel.c
> index 4ddfcf94..ddbdd3e1 100644
> --- a/super-intel.c
> +++ b/super-intel.c
> @@ -4510,6 +4510,7 @@ static int load_imsm_mpb(int fd, struct intel_super *super, char *devname)
>            MIGR_REC_BUF_SECTORS*MAX_SECTOR_SIZE) != 0) {
>                pr_err("could not allocate migr_rec buffer\n");
>                free(super->buf);
> +               super->buf = NULL;
>                return 2;
>        }
>        super->clean_migration_record_by_mdmon = 0;
> --
> 2.27.0

diff --git a/super-intel.c b/super-intel.c
index 4ddfcf94..ddbdd3e1 100644
--- a/super-intel.c
+++ b/super-intel.c
@@ -4510,6 +4510,7 @@  static int load_imsm_mpb(int fd, struct intel_super *super, char *devname)
            MIGR_REC_BUF_SECTORS*MAX_SECTOR_SIZE) != 0) {
                pr_err("could not allocate migr_rec buffer\n");
                free(super->buf);
+               super->buf = NULL;
                return 2;
        }
        super->clean_migration_record_by_mdmon = 0;

[3/5,v2] load_imsm_mpb: fix double free

Commit Message

Comments

Patch