The Coverity checker spotted the following use-after-free
in drivers/xen/xenbus/xenbus_xs.c:
<-- snip -->
...
static int process_msg(void)
{
...
if (IS_ERR(msg->u.watch.vec)) {
kfree(msg);
err = PTR_ERR(msg->u.watch.vec);
...
<-- snip -->
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel
Adrian Bunk
2007-Jul-23 01:11 UTC
[Xen-devel] [2.6.23 patch] xenbus_xs.c: fix a use-after-free
This patch fixes an obvious use-after-free spotted by the Coverity checker.
Signed-off-by: Adrian Bunk <bunk@stusta.de>
---
--- linux-2.6.22-rc6-mm1/drivers/xen/xenbus/xenbus_xs.c.old 2007-07-23
03:04:20.000000000 +0200
+++ linux-2.6.22-rc6-mm1/drivers/xen/xenbus/xenbus_xs.c 2007-07-23
03:04:42.000000000 +0200
@@ -782,8 +782,8 @@ static int process_msg(void)
msg->u.watch.vec = split(body, msg->hdr.len,
&msg->u.watch.vec_size);
if (IS_ERR(msg->u.watch.vec)) {
- kfree(msg);
err = PTR_ERR(msg->u.watch.vec);
+ kfree(msg);
goto out;
}
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel
Jeremy Fitzhardinge
2007-Jul-23 06:47 UTC
[Xen-devel] Re: [2.6.23 patch] xenbus_xs.c: fix a use-after-free
Adrian Bunk wrote:> This patch fixes an obvious use-after-free spotted by the Coverity checker. > > Signed-off-by: Adrian Bunk <bunk@stusta.de> >OK, thanks. J _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel