[Lguest] [PATCH 1/8] lguest: dereferencing freed mem in add_eventfd()
Rusty Russell
rusty at rustcorp.com.au
Thu Jul 23 23:44:45 EST 2009
From: Dan Carpenter <error27 at gmail.com>
"new" was freed and then dereferenced. Also the return value wasn't being
used so I modified the caller as well.
Compile tested only. Found by smatch (http://repo.or.cz/w/smatch.git).
regards,
dan carpenter
Signed-off-by: Dan Carpenter <error27 at gmail.com>
Signed-off-by: Rusty Russell <rusty at rustcorp.com.au>
---
drivers/lguest/lguest_user.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff -u
--- orig/drivers/lguest/lguest_user.c 2009-07-17 13:52:40.000000000 +0300
+++ new/drivers/lguest/lguest_user.c 2009-07-17 13:55:47.000000000 +0300
@@ -52,8 +52,9 @@
new->map[new->num].addr = addr;
new->map[new->num].event = eventfd_ctx_fdget(fd);
if (IS_ERR(new->map[new->num].event)) {
+ int err = PTR_ERR(new->map[new->num].event);
kfree(new);
- return PTR_ERR(new->map[new->num].event);
+ return err;
}
new->num++;
@@ -83,7 +84,7 @@
err = add_eventfd(lg, addr, fd);
mutex_unlock(&lguest_lock);
- return 0;
+ return err;
}
/*L:050 Sending an interrupt is done by writing LHREQ_IRQ and an interrupt
More information about the Lguest
mailing list