Yep, it's a leak.
Thanks,
Lucho
On 7/25/07, Eric Van Hensbergen <[EMAIL PROTECTED]> wrote:
On 7/22/07, Adrian Bunk <[EMAIL PROTECTED]> wrote:
> The Coverity checker spotted the following use-after-free
> in net/9p/mux.c:
>
> <-- snip -->
>
> ...
> struct p9_conn *p9_conn_create(struct p9_transport *trans, int msize,
> unsigned char *extended)
> {
> ...
> if (!m->tagpool) {
> kfree(m);
> return ERR_PTR(PTR_ERR(m->tagpool));
> }
> ...
>
> <-- snip -->
>
I've got a fix for this one:
if (!m->tagpool) {
mtmp = ERR_PTR(PTR_ERR(m->tagpool));
kfree(m);
return mtmp;
}
but I was wondering about one of the other returns further down the function:
...
memset(&m->poll_waddr, 0, sizeof(m->poll_waddr));
m->poll_task = NULL;
n = p9_mux_poll_start(m);
if (n)
return ERR_PTR(n);
n = trans->poll(trans, &m->pt);
...
lucho: doesn't that constitute a leak? Shouldn't we be doing:
if (n) {
kfree(m);
return ERR_PTR(n);
}
-eric
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
