eCryptfs: NULL pointer dereference in ecryptfs_send_miscdev()

	return rc;

}

static int

ecryptfs_send_message_locked(char *data, int data_len, u8 msg_type,

			     struct ecryptfs_msg_ctx **msg_ctx);

/**

 * ecryptfs_send_raw_message

 * @msg_type: Message type

 * @daemon: Daemon struct for recipient of message

 *

 * A raw message is one that does not include an ecryptfs_message

 * struct. It simply has a type.

 *

 * Must be called with ecryptfs_daemon_hash_mux held.

 *

 * Returns zero on success; non-zero otherwise

 */

static int ecryptfs_send_raw_message(u8 msg_type,

				     struct ecryptfs_daemon *daemon)

{

	struct ecryptfs_msg_ctx *msg_ctx;

	int rc;

	rc = ecryptfs_send_message_locked(NULL, 0, msg_type, &msg_ctx);

	if (rc) {

		printk(KERN_ERR "%s: Error whilst attempting to send "

		       "message to ecryptfsd; rc = [%d]\n", __func__, rc);

		goto out;

	}

	/* Raw messages are logically context-free (e.g., no

	 * reply is expected), so we set the state of the

	 * ecryptfs_msg_ctx object to indicate that it should

	 * be freed as soon as the message is sent. */

	mutex_lock(&msg_ctx->mux);

	msg_ctx->state = ECRYPTFS_MSG_CTX_STATE_NO_REPLY;

	mutex_unlock(&msg_ctx->mux);

out:

	return rc;

}

/**

 * ecryptfs_spawn_daemon - Create and initialize a new daemon struct

 * @daemon: Pointer to set to newly allocated daemon struct

	return rc;

}

/**

 * ecryptfs_process_helo

 * @euid: The user ID owner of the message

 * @user_ns: The namespace in which @euid applies

 * @pid: The process ID for the userspace program that sent the

 *       message

 *

 * Adds the euid and pid values to the daemon euid hash.  If an euid

 * already has a daemon pid registered, the daemon will be

 * unregistered before the new daemon is put into the hash list.

 * Returns zero after adding a new daemon to the hash list;

 * non-zero otherwise.

 */

int ecryptfs_process_helo(uid_t euid, struct user_namespace *user_ns,

			  struct pid *pid)

{

	struct ecryptfs_daemon *new_daemon;

	struct ecryptfs_daemon *old_daemon;

	int rc;

	mutex_lock(&ecryptfs_daemon_hash_mux);

	rc = ecryptfs_find_daemon_by_euid(&old_daemon, euid, user_ns);

	if (rc != 0) {

		printk(KERN_WARNING "Received request from user [%d] "

		       "to register daemon [0x%p]; unregistering daemon "

		       "[0x%p]\n", euid, pid, old_daemon->pid);

		rc = ecryptfs_send_raw_message(ECRYPTFS_MSG_QUIT, old_daemon);

		if (rc)

			printk(KERN_WARNING "Failed to send QUIT "

			       "message to daemon [0x%p]; rc = [%d]\n",

			       old_daemon->pid, rc);

		hlist_del(&old_daemon->euid_chain);

		kfree(old_daemon);

	}

	rc = ecryptfs_spawn_daemon(&new_daemon, euid, user_ns, pid);

	if (rc)

		printk(KERN_ERR "%s: The gods are displeased with this attempt "

		       "to create a new daemon object for euid [%d]; pid "

		       "[0x%p]; rc = [%d]\n", __func__, euid, pid, rc);

	mutex_unlock(&ecryptfs_daemon_hash_mux);

	return rc;

}

/**

 * ecryptfs_exorcise_daemon - Destroy the daemon struct

 *

	int rc = 0;

	mutex_lock(&msg_ctx->mux);

	if (data) {

	msg_ctx->msg = kmalloc((sizeof(*msg_ctx->msg) + data_size),

			       GFP_KERNEL);

	if (!msg_ctx->msg) {

		       (sizeof(*msg_ctx->msg) + data_size));

		goto out_unlock;

	}

	} else

		msg_ctx->msg = NULL;

	msg_ctx->msg->index = msg_ctx->index;

	msg_ctx->msg->data_len = data_size;

	msg_ctx->type = msg_type;

	if (data) {

	memcpy(msg_ctx->msg->data, data, data_size);

	msg_ctx->msg_size = (sizeof(*msg_ctx->msg) + data_size);

	} else

		msg_ctx->msg_size = 0;

	mutex_lock(&daemon->mux);

	list_add_tail(&msg_ctx->daemon_out_list, &daemon->msg_ctx_out_queue);

	daemon->num_queued_msg_ctx++;