Re: [PATCH] perf/x86/uncore: fix a potential double-free in uncore_type_init

[Zhenyu Wang <zhenyuw@linux.intel.com>]

[-- Attachment #1: Type: text/plain, Size: 1393 bytes --]

On 2023.12.05 11:27:09 +0800, Dinghao Liu wrote:
> When kzalloc for pmus[i].boxes fails, we should clean up pmus
> to prevent memleak. However, when kzalloc for attr_group fails,
> pmus has been assigned to type->pmus, and freeing will be done
> later on by the callers. The chain is: uncore_type_init ->
> uncore_types_init -> uncore_pci_init -> uncore_types_exit ->
> uncore_type_exit. Therefore, freeing pmus in uncore_type_init
> may cause a double-free. Fix this by setting type->pmus to
> NULL after kfree.

Change is ok but the call trace you wrote here is reversed or malformed??
With that fixed or cleared.

Reviewed-by: Zhenyu Wang <zhenyuw@linux.intel.com>

> 
> Fixes: 629eb703d3e4 ("perf/x86/intel/uncore: Fix memory leaks on allocation failures")
> Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
> ---
>  arch/x86/events/intel/uncore.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/arch/x86/events/intel/uncore.c b/arch/x86/events/intel/uncore.c
> index 01023aa5125b..d80445a24011 100644
> --- a/arch/x86/events/intel/uncore.c
> +++ b/arch/x86/events/intel/uncore.c
> @@ -1041,6 +1041,7 @@ static int __init uncore_type_init(struct intel_uncore_type *type, bool setid)
>  	for (i = 0; i < type->num_boxes; i++)
>  		kfree(pmus[i].boxes);
>  	kfree(pmus);
> +	type->pmus = NULL;
>  
>  	return -ENOMEM;
>  }
> -- 
> 2.17.1
> 

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]