lguest: dereferencing freed mem in add_eventfd()

"new" was freed and then dereferenced. Also the return value wasn't being used so I modified the caller as well. Compile tested only. Found by smatch (http://repo.or.cz/w/smatch.git). regards, dan carpenter Signed-off-by: Dan Carpenter <[email protected]> Signed-off-by: Rusty Russell <[email protected]>
tdeneau · Jul 30, 2009 · f294526 · f294526
1 parent 658874f
commit f294526
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/drivers/lguest/lguest_user.c b/drivers/lguest/lguest_user.c
@@ -52,8 +52,9 @@ static int add_eventfd(struct lguest *lg, unsigned long addr, int fd)
 	new->map[new->num].addr = addr;
 	new->map[new->num].event = eventfd_ctx_fdget(fd);
 	if (IS_ERR(new->map[new->num].event)) {
+		int err =  PTR_ERR(new->map[new->num].event);
 		kfree(new);
-		return PTR_ERR(new->map[new->num].event);
+		return err;
 	}
 	new->num++;
 
@@ -83,7 +84,7 @@ static int attach_eventfd(struct lguest *lg, const unsigned long __user *input)
 	err = add_eventfd(lg, addr, fd);
 	mutex_unlock(&lguest_lock);
 
-	return 0;
+	return err;
 }
 
 /*L:050 Sending an interrupt is done by writing LHREQ_IRQ and an interrupt