diff options
author | Dan Carpenter <error27@gmail.com> | 2009-07-19 07:46:09 -0400 |
---|---|---|
committer | Rusty Russell <rusty@rustcorp.com.au> | 2009-07-30 02:33:43 -0400 |
commit | f294526279cda8934b0313ebd02184a16ba888c9 (patch) | |
tree | a89b108800b8f8cdcf6a6eae4f69bb10df3ac79c | |
parent | 658874f05d040ca96eb5ba9b1c30ce0ff287d762 (diff) |
lguest: dereferencing freed mem in add_eventfd()
"new" was freed and then dereferenced. Also the return value wasn't being
used so I modified the caller as well.
Compile tested only. Found by smatch (http://repo.or.cz/w/smatch.git).
regards,
dan carpenter
Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
-rw-r--r-- | drivers/lguest/lguest_user.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/drivers/lguest/lguest_user.c b/drivers/lguest/lguest_user.c index 9f9a2953b383..407722a8e0c4 100644 --- a/drivers/lguest/lguest_user.c +++ b/drivers/lguest/lguest_user.c | |||
@@ -52,8 +52,9 @@ static int add_eventfd(struct lguest *lg, unsigned long addr, int fd) | |||
52 | new->map[new->num].addr = addr; | 52 | new->map[new->num].addr = addr; |
53 | new->map[new->num].event = eventfd_ctx_fdget(fd); | 53 | new->map[new->num].event = eventfd_ctx_fdget(fd); |
54 | if (IS_ERR(new->map[new->num].event)) { | 54 | if (IS_ERR(new->map[new->num].event)) { |
55 | int err = PTR_ERR(new->map[new->num].event); | ||
55 | kfree(new); | 56 | kfree(new); |
56 | return PTR_ERR(new->map[new->num].event); | 57 | return err; |
57 | } | 58 | } |
58 | new->num++; | 59 | new->num++; |
59 | 60 | ||
@@ -83,7 +84,7 @@ static int attach_eventfd(struct lguest *lg, const unsigned long __user *input) | |||
83 | err = add_eventfd(lg, addr, fd); | 84 | err = add_eventfd(lg, addr, fd); |
84 | mutex_unlock(&lguest_lock); | 85 | mutex_unlock(&lguest_lock); |
85 | 86 | ||
86 | return 0; | 87 | return err; |
87 | } | 88 | } |
88 | 89 | ||
89 | /*L:050 Sending an interrupt is done by writing LHREQ_IRQ and an interrupt | 90 | /*L:050 Sending an interrupt is done by writing LHREQ_IRQ and an interrupt |