diff options
author | Dan Carpenter <dan.carpenter@oracle.com> | 2020-07-10 13:36:10 +0200 |
---|---|---|
committer | Boris Ostrovsky <boris.ostrovsky@oracle.com> | 2020-07-10 14:20:43 +0200 |
commit | ba8c423488974f02b538e9dc1730f0334f9b85aa (patch) | |
tree | 72a1ee9e90ff23e74fb7ae6d5ff38897a8b383ef /drivers/xen | |
parent | xen/xenbus: let xenbus_map_ring_valloc() return errno values only (diff) | |
download | linux-ba8c423488974f02b538e9dc1730f0334f9b85aa.tar.xz linux-ba8c423488974f02b538e9dc1730f0334f9b85aa.zip |
xen/xenbus: Fix a double free in xenbus_map_ring_pv()
When there is an error the caller frees "info->node" so the free here
will result in a double free. We should just delete first kfree().
Fixes: 3848e4e0a32a ("xen/xenbus: avoid large structs and arrays on the stack")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Link: https://lore.kernel.org/r/20200710113610.GA92345@mwanda
Reviewed-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Diffstat (limited to 'drivers/xen')
-rw-r--r-- | drivers/xen/xenbus/xenbus_client.c | 4 |
1 files changed, 1 insertions, 3 deletions
diff --git a/drivers/xen/xenbus/xenbus_client.c b/drivers/xen/xenbus/xenbus_client.c index 4f168b46fbca..786fbb7d8be0 100644 --- a/drivers/xen/xenbus/xenbus_client.c +++ b/drivers/xen/xenbus/xenbus_client.c @@ -693,10 +693,8 @@ static int xenbus_map_ring_pv(struct xenbus_device *dev, bool leaked; area = alloc_vm_area(XEN_PAGE_SIZE * nr_grefs, info->ptes); - if (!area) { - kfree(node); + if (!area) return -ENOMEM; - } for (i = 0; i < nr_grefs; i++) info->phys_addrs[i] = |