* [9fans] kernel possible double free
@ 2014-06-09 7:40 Yoann Padioleau
2014-06-09 8:18 ` Charles Forsyth
0 siblings, 1 reply; 2+ messages in thread
From: Yoann Padioleau @ 2014-06-09 7:40 UTC (permalink / raw)
To: Fans of the OS Plan 9 from Bell Labs
Hi,
I think I've found a possible situation where we call two times free on the same pointer.
in sysexec() there is essentially
sysexec(...) {
…
if(waserror()){
free(file0);
free(elem);
nexterror();
}
for(;;){
tc = namec(file, Aopen, OEXEC, 0);
if(waserror()){
cclose(tc);
nexterror();
}
…
}
qlock(&up->seglock);
if(waserror()){
qunlock(&up->seglock);
nexterror();
}
…
free(file0);
+ file0 = nil; <------------------------- we should add that, for the same reason we do elem = nil below
free(up->text);
up->text = elem;
elem = nil; /* so waserror() won't free elem */
USED(elem);
…
qunlock(&up->seglock);
poperror(); /* seglock */
- poperror(); /* elem */ <----------------------- actually this is not the poperror of elem, but of tc
…
poperror();
cclose(tc);
+ poperror(); /* elem and file0 */ <----------- this is where the poperror of elem should be.
}
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2014-06-09 8:18 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-06-09 7:40 [9fans] kernel possible double free Yoann Padioleau
2014-06-09 8:18 ` Charles Forsyth
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).