Techwizz/kernel-fxtec-pro1x
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

lguest: dereferencing freed mem in add_eventfd()

Browse source 
"new" was freed and then dereferenced.  Also the return value wasn't being
used so I modified the caller as well.

Compile tested only.  Found by smatch (http://repo.or.cz/w/smatch.git).

regards,
dan carpenter

Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
This commit is contained in:
Dan Carpenter 2009-07-19 14:46:09 +03:00 committed by Rusty Russell
parent 658874f05d
commit f294526279
1 changed files with 3 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
drivers/lguest/lguest_user.c
View file

@ -52,8 +52,9 @@ static int add_eventfd(struct lguest *lg, unsigned long addr, int fd)
new->map[new->num].addr = addr; new->map[new->num].addr = addr;
new->map[new->num].event = eventfd_ctx_fdget(fd); new->map[new->num].event = eventfd_ctx_fdget(fd);
if (IS_ERR(new->map[new->num].event)) { if (IS_ERR(new->map[new->num].event)) {
int err = PTR_ERR(new->map[new->num].event);
kfree(new); kfree(new);
return PTR_ERR(new->map[new->num].event); return err;
} }
new->num++; new->num++;
@ -83,7 +84,7 @@ static int attach_eventfd(struct lguest *lg, const unsigned long __user *input)
err = add_eventfd(lg, addr, fd); err = add_eventfd(lg, addr, fd);
mutex_unlock(&lguest_lock); mutex_unlock(&lguest_lock);
return 0; return err;
} }
/*L:050 Sending an interrupt is done by writing LHREQ_IRQ and an interrupt /*L:050 Sending an interrupt is done by writing LHREQ_IRQ and an interrupt