diff options
| author | Tejun Heo <tj@kernel.org> | 2008-10-13 19:45:20 -0400 |
|---|---|---|
| committer | Eric Van Hensbergen <ericvh@gmail.com> | 2008-10-17 12:04:42 -0400 |
| commit | 95820a36516d12dcb49d066dd3d5b187a2557612 (patch) | |
| tree | 84ba5869e9f68b3c943e75feb7c634da1c61f47a /net/9p | |
| parent | 91b8534fa8f5e01f249b1bf8df0a2540053549ad (diff) | |
9p: drop broken unused error path from p9_conn_create()
Post p9_fd_poll() error path which checks m->poll_waddr[i] for PTR_ERR
value has the following problems.
* It's completely unused. Error value is set iff NULL @wait_address
has been specified to p9_pollwait() which is guaranteed not to
happen.
* It dereferences @m after deallocating it (introduced by 571ffeaf and
spotted by Raja R Harinath.
* It returned the wrong value on error. It should return
poll_waddr[i] but it returnes poll_waddr (introduced by 571ffeaf).
* p9_mux_poll_stop() doesn't handle PTR_ERR value. It will try to
operate on the PTR_ERR value as if it's a normal pointer and cause
oops.
As the error path is bogus in the first place, there's no reason to
hold onto it. Kill it.
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Eric Van Hensbergen <ericvh@gmail.com>
Cc: Raja R Harinath <harinath@hurrynot.org>
Diffstat (limited to 'net/9p')
| -rw-r--r-- | net/9p/trans_fd.c | 17 |
1 files changed, 1 insertions, 16 deletions
diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c index 6bfc013f8b6f..c07f2ab8d0f7 100644 --- a/net/9p/trans_fd.c +++ b/net/9p/trans_fd.c | |||
| @@ -540,12 +540,6 @@ p9_pollwait(struct file *filp, wait_queue_head_t *wait_address, poll_table *p) | |||
| 540 | return; | 540 | return; |
| 541 | } | 541 | } |
| 542 | 542 | ||
| 543 | if (!wait_address) { | ||
| 544 | P9_DPRINTK(P9_DEBUG_ERROR, "no wait_address\n"); | ||
| 545 | pwait->wait_addr = ERR_PTR(-EIO); | ||
| 546 | return; | ||
| 547 | } | ||
| 548 | |||
| 549 | pwait->conn = m; | 543 | pwait->conn = m; |
| 550 | pwait->wait_addr = wait_address; | 544 | pwait->wait_addr = wait_address; |
| 551 | init_waitqueue_func_entry(&pwait->wait, p9_pollwake); | 545 | init_waitqueue_func_entry(&pwait->wait, p9_pollwake); |
| @@ -561,7 +555,7 @@ p9_pollwait(struct file *filp, wait_queue_head_t *wait_address, poll_table *p) | |||
| 561 | 555 | ||
| 562 | static struct p9_conn *p9_conn_create(struct p9_client *client) | 556 | static struct p9_conn *p9_conn_create(struct p9_client *client) |
| 563 | { | 557 | { |
| 564 | int i, n; | 558 | int n; |
| 565 | struct p9_conn *m; | 559 | struct p9_conn *m; |
| 566 | 560 | ||
| 567 | P9_DPRINTK(P9_DEBUG_MUX, "client %p msize %d\n", client, client->msize); | 561 | P9_DPRINTK(P9_DEBUG_MUX, "client %p msize %d\n", client, client->msize); |
| @@ -590,15 +584,6 @@ static struct p9_conn *p9_conn_create(struct p9_client *client) | |||
| 590 | set_bit(Wpending, &m->wsched); | 584 | set_bit(Wpending, &m->wsched); |
| 591 | } | 585 | } |
| 592 | 586 | ||
| 593 | for (i = 0; i < ARRAY_SIZE(m->poll_wait); i++) { | ||
| 594 | if (IS_ERR(m->poll_wait[i].wait_addr)) { | ||
| 595 | p9_mux_poll_stop(m); | ||
| 596 | kfree(m); | ||
| 597 | /* return the error code */ | ||
| 598 | return (void *)m->poll_wait[i].wait_addr; | ||
| 599 | } | ||
| 600 | } | ||
| 601 | |||
| 602 | return m; | 587 | return m; |
| 603 | } | 588 | } |
| 604 | 589 | ||