Message ID | 20200710113610.GA92345@mwanda (mailing list archive) |
---|---|
State | Accepted |
Commit | ba8c423488974f02b538e9dc1730f0334f9b85aa |
Headers | show |
Series | xen/xenbus: Fix a double free in xenbus_map_ring_pv() | expand |
On 10.07.20 13:36, Dan Carpenter wrote: > When there is an error the caller frees "info->node" so the free here > will result in a double free. We should just delete first kfree(). > > Fixes: 3848e4e0a32a ("xen/xenbus: avoid large structs and arrays on the stack") > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Thanks for spotting this! Reviewed-by: Juergen Gross <jgross@suse.com> Juergen
On 7/10/20 8:15 AM, Jürgen Groß wrote: > On 10.07.20 13:36, Dan Carpenter wrote: >> When there is an error the caller frees "info->node" so the free here >> will result in a double free. We should just delete first kfree(). >> >> Fixes: 3848e4e0a32a ("xen/xenbus: avoid large structs and arrays on >> the stack") >> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > > Thanks for spotting this! > > Reviewed-by: Juergen Gross <jgross@suse.com> Applied to for-linus-5.8b -boris
diff --git a/drivers/xen/xenbus/xenbus_client.c b/drivers/xen/xenbus/xenbus_client.c index 4f168b46fbca..786fbb7d8be0 100644 --- a/drivers/xen/xenbus/xenbus_client.c +++ b/drivers/xen/xenbus/xenbus_client.c @@ -693,10 +693,8 @@ static int xenbus_map_ring_pv(struct xenbus_device *dev, bool leaked; area = alloc_vm_area(XEN_PAGE_SIZE * nr_grefs, info->ptes); - if (!area) { - kfree(node); + if (!area) return -ENOMEM; - } for (i = 0; i < nr_grefs; i++) info->phys_addrs[i] =
When there is an error the caller frees "info->node" so the free here will result in a double free. We should just delete first kfree(). Fixes: 3848e4e0a32a ("xen/xenbus: avoid large structs and arrays on the stack") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> --- drivers/xen/xenbus/xenbus_client.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-)