v9fs_dir_readdir: fix double-free on p9stat_read error

p9stat_read will call p9stat_free on error, we should only free the
struct content on success.

There also is no need to "p9stat_init" st as the read function will
zero the whole struct for us anyway, so clean up the code a bit while
we are here.

Link: http://lkml.kernel.org/r/1535410108-20650-1-git-send-email-asmadeus@codewreck.org
Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
Reported-by: syzbot+d4252148d198410b864f@syzkaller.appspotmail.com

1 files changed, 0 insertions, 11 deletions

diff --git a/fs/9p/vfs_dir.c b/fs/9p/vfs_dir.c
index b0405d6aac85..48db9a9f13f9 100644
--- a/fs/9p/vfs_dir.c
+++ b/fs/9p/vfs_dir.c
@@ -76,15 +76,6 @@ static inline int dt_type(struct p9_wstat *mistat)
         return rettype;
 }
 
-static void p9stat_init(struct p9_wstat *stbuf)
-{
-        stbuf->name  = NULL;
-        stbuf->uid   = NULL;
-        stbuf->gid   = NULL;
-        stbuf->muid  = NULL;
-        stbuf->extension = NULL;
-}
-
 /**
  * v9fs_alloc_rdir_buf - Allocate buffer used for read and readdir
  * @filp: opened file structure
@@ -145,12 +136,10 @@ static int v9fs_dir_readdir(struct file *file, struct dir_context *ctx)
                         rdir->tail = n;
                 }
                 while (rdir->head < rdir->tail) {
-                        p9stat_init(&st);
                         err = p9stat_read(fid->clnt, rdir->buf + rdir->head,
                                           rdir->tail - rdir->head, &st);
                         if (err) {
                                 p9_debug(P9_DEBUG_VFS, "returned %d\n", err);
-                                p9stat_free(&st);
                                 return -EIO;
                         }
                         reclen = st.size+2;