diff options
author | Matt Fleming <matt@codeblueprint.co.uk> | 2016-08-15 15:29:20 +0100 |
---|---|---|
committer | Matt Fleming <matt@codeblueprint.co.uk> | 2016-09-09 16:08:48 +0100 |
commit | 22c2b77f419bdc9317f00b395283abd33157368e (patch) | |
tree | 379db94c904ad0916c7cbc9d11c0f0d2fc77f6e1 /fs | |
parent | 0513fe1d28e45deb39159dbeedf0660c3f0effd2 (diff) | |
download | op-kernel-dev-22c2b77f419bdc9317f00b395283abd33157368e.zip op-kernel-dev-22c2b77f419bdc9317f00b395283abd33157368e.tar.gz |
fs/efivarfs: Fix double kfree() in error path
Julia reported that we may double free 'name' in efivarfs_callback(),
and that this bug was introduced by commit 0d22f33bc37c ("efi: Don't
use spinlocks for efi vars").
Move one of the kfree()s until after the point at which we know we are
definitely on the success path.
Reported-by: Julia Lawall <julia.lawall@lip6.fr>
Acked-by: Julia Lawall <julia.lawall@lip6.fr>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Sylvain Chouleur <sylvain.chouleur@gmail.com>
Signed-off-by: Matt Fleming <matt@codeblueprint.co.uk>
Diffstat (limited to 'fs')
-rw-r--r-- | fs/efivarfs/super.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/fs/efivarfs/super.c b/fs/efivarfs/super.c index 01e3d6e..d7a7c53 100644 --- a/fs/efivarfs/super.c +++ b/fs/efivarfs/super.c @@ -157,14 +157,14 @@ static int efivarfs_callback(efi_char16_t *name16, efi_guid_t vendor, goto fail_inode; } - /* copied by the above to local storage in the dentry. */ - kfree(name); - efivar_entry_size(entry, &size); err = efivar_entry_add(entry, &efivarfs_list); if (err) goto fail_inode; + /* copied by the above to local storage in the dentry. */ + kfree(name); + inode_lock(inode); inode->i_private = entry; i_size_write(inode, size + sizeof(entry->var.Attributes)); |