Subject: [PATCH] [BZ 197814] zdump/dfi: Fix segfault due to double free From: Mikhail Zaslonko Description: zdump: segfault on zgetdump -i for multi-volume dump Symptom: zgetdump --info may lead to the core dump when issued for the device node (not a partition) right after installing multi-volume dump tool (without taking actual dump). Problem: Double free condition occurs on zg_close() call at the end of the while loop in dfi_init() in scope of zgetdump processing. Solution: Do not call zg_close() at the end of open_dump() function during multi-volume dump initialization. Reproduction: 1) Install multi-volume dump tool 2) Run zgetdump -i using the device node of one of the dump volumes as a parameter without taking actual dump. Upstream-ID: c4e4b926b471da9c488a6468e6bd966512d1d14c Problem-ID: 197814 Upstream-Description: zdump/dfi: Fix segfault due to double free The problem can happen when dfi_s390mv_init_gen() returns with an error code to dfi_init() in dfi.c. Double free condition occurs on zg_close() call at the end of the while loop in dfi_init() if zg_close() has already been called for the same file handle at the end of open_dump() function in scope of dfi_s390mv_init_gen() processing. This global file handle is not closed during init() call for any other dump formats. Since it is not reopened/reused after open_dump() call during multi-volume dump initialization, we should not close it at all. The problem can be reproduced in the following steps: 1) Install multi-volume dump tool # zipl -M mvdump.conf Dump target: 2 partitions with a total size of 4732 MB. Warning: All information on the following partitions will be lost! /dev/dasdb2 /dev/dasdb3 Do you want to continue creating multi-volume dump partitions (y/n)?y Done. 2) Run zgetdump -i using device (not partition) as a parameter without taking actual dump. # zgetdump -i /dev/dasdb free(): double free detected in tcache 2 Aborted (core dumped) Signed-off-by: Mikhail Zaslonko Reviewed-by: Alexander Egorenkov Signed-off-by: Jan Hoeppner Signed-off-by: Mikhail Zaslonko --- zdump/dfi_s390mv.c | 1 - 1 file changed, 1 deletion(-) --- a/zdump/dfi_s390mv.c +++ b/zdump/dfi_s390mv.c @@ -556,7 +556,6 @@ static int open_dump(void) } if (mv_dumper_read() != 0) return -ENODEV; - zg_close(g.fh); return 0; }