Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f2945262 authored by Dan Carpenter's avatar Dan Carpenter Committed by Rusty Russell
Browse files

lguest: dereferencing freed mem in add_eventfd() 

"new" was freed and then dereferenced.  Also the return value wasn't being
used so I modified the caller as well.

Compile tested only.  Found by smatch (http://repo.or.cz/w/smatch.git

).

regards,
dan carpenter

Signed-off-by: default avatarDan Carpenter <error27@gmail.com>
Signed-off-by: default avatarRusty Russell <rusty@rustcorp.com.au>
parent 658874f0

drivers/lguest/lguest_user.c

+3 −2
Original line number Original line Diff line number Diff line
@@ -52,8 +52,9 @@ static int add_eventfd(struct lguest *lg, unsigned long addr, int fd) 
	new->map[new->num].addr = addr;

	new->map[new->num].addr = addr;

	new->map[new->num].event = eventfd_ctx_fdget(fd);

	new->map[new->num].event = eventfd_ctx_fdget(fd);

	if (IS_ERR(new->map[new->num].event)) {

	if (IS_ERR(new->map[new->num].event)) {

		int err =  PTR_ERR(new->map[new->num].event);

		kfree(new);

		kfree(new);

		return PTR_ERR(new->map[new->num].event);

		return err;

	}

	}

	new->num++;

	new->num++;
@@ -83,7 +84,7 @@ static int attach_eventfd(struct lguest *lg, const unsigned long __user *input) 
	err = add_eventfd(lg, addr, fd);

	err = add_eventfd(lg, addr, fd);

	mutex_unlock(&lguest_lock);

	mutex_unlock(&lguest_lock);





	return 0;

	return err;

}

}





/*L:050 Sending an interrupt is done by writing LHREQ_IRQ and an interrupt

/*L:050 Sending an interrupt is done by writing LHREQ_IRQ and an interrupt