From mboxrd@z Thu Jan 1 00:00:00 1970 From: Julien Grall Subject: [PATCH] xen/arm: domain_vgic_init: Avoid double free on shared_irqs Date: Fri, 25 Jul 2014 15:17:26 +0100 Message-ID: <1406297847-23440-1-git-send-email-julien.grall@linaro.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XAgJU-000794-SQ for xen-devel@lists.xenproject.org; Fri, 25 Jul 2014 14:17:36 +0000 Received: by mail-wg0-f41.google.com with SMTP id z12so4310603wgg.12 for ; Fri, 25 Jul 2014 07:17:35 -0700 (PDT) List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: xen-devel@lists.xenproject.org Cc: stefano.stabellini@citrix.com, Julien Grall , tim@xen.org, ian.campbell@citrix.com List-Id: xen-devel@lists.xenproject.org When the function domain_vgic_init is failing to initialize pending_irqs, it will free shared_irqs. Few call later, domain_vgic_free will be called an try to free a second time the same variable. This will result to a double free. Remove the free in domain_vgic_init and rely on domain_vgic_free to correctly release the memory. Signed-off-by: Julien Grall --- This patch should be backported to Xen 4.4. --- xen/arch/arm/vgic.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/xen/arch/arm/vgic.c b/xen/arch/arm/vgic.c index aba613b..edbb71a 100644 --- a/xen/arch/arm/vgic.c +++ b/xen/arch/arm/vgic.c @@ -84,10 +84,7 @@ int domain_vgic_init(struct domain *d, unsigned int nr_spis) d->arch.vgic.pending_irqs = xzalloc_array(struct pending_irq, d->arch.vgic.nr_spis); if ( d->arch.vgic.pending_irqs == NULL ) - { - xfree(d->arch.vgic.shared_irqs); return -ENOMEM; - } for (i=0; iarch.vgic.nr_spis; i++) { -- 1.7.10.4