From mboxrd@z Thu Jan  1 00:00:00 1970
From: Yoann Padioleau <pad@fb.com>
To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net>
Date: Mon,  9 Jun 2014 07:40:27 +0000
Message-ID: <2D698F12-5C4C-4F49-A976-46592D9592CE@fb.com>
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <9B68B4A26E2C2A429ED6388177DD6FC1@fb.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: [9fans] kernel possible double free
Topicbox-Message-UUID: f8a6b826-ead8-11e9-9d60-3106f5b1d025

Hi,

I think I've found a possible situation where we call two times free on the=
 same pointer.
in sysexec() there is essentially

sysexec(...) {
 =85=20
	if(waserror()){
		free(file0);
		free(elem);
		nexterror();
	}

	for(;;){
		tc =3D namec(file, Aopen, OEXEC, 0);
		if(waserror()){
			cclose(tc);
			nexterror();
		}

        =85
       }
	qlock(&up->seglock);
	if(waserror()){
		qunlock(&up->seglock);
		nexterror();
	}

     =85
	free(file0);
+      file0 =3D nil; <------------------------- we should add that, for th=
e same reason we do elem =3D nil below
	free(up->text);
	up->text =3D elem;
	elem =3D nil;	/* so waserror() won't free elem */
	USED(elem);

    =85
	qunlock(&up->seglock);
	poperror();	/* seglock */
-	poperror();	/* elem */ <----------------------- actually this is not the =
poperror of elem, but of tc

        =85
	poperror();
	cclose(tc);
+      poperror(); /* elem and file0 */ <----------- this is where the pope=
rror of elem should be.


}=