aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDan Carpenter <error27@gmail.com>2009-07-19 07:46:09 -0400
committerRusty Russell <rusty@rustcorp.com.au>2009-07-30 02:33:43 -0400
commitf294526279cda8934b0313ebd02184a16ba888c9 (patch)
treea89b108800b8f8cdcf6a6eae4f69bb10df3ac79c
parent658874f05d040ca96eb5ba9b1c30ce0ff287d762 (diff)
lguest: dereferencing freed mem in add_eventfd()
"new" was freed and then dereferenced. Also the return value wasn't being used so I modified the caller as well. Compile tested only. Found by smatch (http://repo.or.cz/w/smatch.git). regards, dan carpenter Signed-off-by: Dan Carpenter <error27@gmail.com> Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
-rw-r--r--drivers/lguest/lguest_user.c5
1 files changed, 3 insertions, 2 deletions
diff --git a/drivers/lguest/lguest_user.c b/drivers/lguest/lguest_user.c
index 9f9a2953b383..407722a8e0c4 100644
--- a/drivers/lguest/lguest_user.c
+++ b/drivers/lguest/lguest_user.c
@@ -52,8 +52,9 @@ static int add_eventfd(struct lguest *lg, unsigned long addr, int fd)
52 new->map[new->num].addr = addr; 52 new->map[new->num].addr = addr;
53 new->map[new->num].event = eventfd_ctx_fdget(fd); 53 new->map[new->num].event = eventfd_ctx_fdget(fd);
54 if (IS_ERR(new->map[new->num].event)) { 54 if (IS_ERR(new->map[new->num].event)) {
55 int err = PTR_ERR(new->map[new->num].event);
55 kfree(new); 56 kfree(new);
56 return PTR_ERR(new->map[new->num].event); 57 return err;
57 } 58 }
58 new->num++; 59 new->num++;
59 60
@@ -83,7 +84,7 @@ static int attach_eventfd(struct lguest *lg, const unsigned long __user *input)
83 err = add_eventfd(lg, addr, fd); 84 err = add_eventfd(lg, addr, fd);
84 mutex_unlock(&lguest_lock); 85 mutex_unlock(&lguest_lock);
85 86
86 return 0; 87 return err;
87} 88}
88 89
89/*L:050 Sending an interrupt is done by writing LHREQ_IRQ and an interrupt 90/*L:050 Sending an interrupt is done by writing LHREQ_IRQ and an interrupt