xen/xenbus: Fix a double free in xenbus_map_ring_pv()

Commit Message

Dan Carpenter July 10, 2020, 11:36 a.m. UTC

When there is an error the caller frees "info->node" so the free here
will result in a double free.  We should just delete first kfree().

Fixes: 3848e4e0a32a ("xen/xenbus: avoid large structs and arrays on the stack")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
 drivers/xen/xenbus/xenbus_client.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

Comments

Jürgen Groß July 10, 2020, 12:15 p.m. UTC | #1

On 10.07.20 13:36, Dan Carpenter wrote:
> When there is an error the caller frees "info->node" so the free here
> will result in a double free.  We should just delete first kfree().
> 
> Fixes: 3848e4e0a32a ("xen/xenbus: avoid large structs and arrays on the stack")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

Thanks for spotting this!

Reviewed-by: Juergen Gross <jgross@suse.com>


Juergen

Boris Ostrovsky July 10, 2020, 3:40 p.m. UTC | #2

On 7/10/20 8:15 AM, Jürgen Groß wrote:
> On 10.07.20 13:36, Dan Carpenter wrote:
>> When there is an error the caller frees "info->node" so the free here
>> will result in a double free.  We should just delete first kfree().
>>
>> Fixes: 3848e4e0a32a ("xen/xenbus: avoid large structs and arrays on
>> the stack")
>> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>
> Thanks for spotting this!
>
> Reviewed-by: Juergen Gross <jgross@suse.com> 


Applied to for-linus-5.8b


-boris

Patch

diff --git a/drivers/xen/xenbus/xenbus_client.c b/drivers/xen/xenbus/xenbus_client.c
index 4f168b46fbca..786fbb7d8be0 100644
--- a/drivers/xen/xenbus/xenbus_client.c
+++ b/drivers/xen/xenbus/xenbus_client.c
@@ -693,10 +693,8 @@  static int xenbus_map_ring_pv(struct xenbus_device *dev,
 	bool leaked;
 
 	area = alloc_vm_area(XEN_PAGE_SIZE * nr_grefs, info->ptes);
-	if (!area) {
-		kfree(node);
+	if (!area)
 		return -ENOMEM;
-	}
 
 	for (i = 0; i < nr_grefs; i++)
 		info->phys_addrs[i] =