From: Julia Lawall <julia@diku.dk>
If the kfree is executed, the dereference of range afterwards will
represent a use after free. Added goto out, as done in the other nearby
error handling code.
A simplified version of the semantic match that finds this problem is as
follows: (http://coccinelle.lip6.fr/)
// <smpl>
@@
expression x,e;
identifier f;
iterator I;
statement S;
@@
*kfree(x);
... when != &x
when != x = e
when != I(x,...) S
*x->f
// </smpl>
Signed-off-by: Julia Lawall <julia@diku.dk>
---
fs/btrfs/ioctl.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
index 2845c6c..dacbb52 100644
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -1375,6 +1375,7 @@ static int btrfs_ioctl_defrag(struct file *file, void
__user *argp)
sizeof(*range))) {
ret = -EFAULT;
kfree(range);
+ goto out;
}
/* compression requires us to start the IO */
if ((range->flags & BTRFS_DEFRAG_RANGE_COMPRESS)) {