From 22c2b77f419bdc9317f00b395283abd33157368e Mon Sep 17 00:00:00 2001 From: Matt Fleming Date: Mon, 15 Aug 2016 15:29:20 +0100 Subject: fs/efivarfs: Fix double kfree() in error path Julia reported that we may double free 'name' in efivarfs_callback(), and that this bug was introduced by commit 0d22f33bc37c ("efi: Don't use spinlocks for efi vars"). Move one of the kfree()s until after the point at which we know we are definitely on the success path. Reported-by: Julia Lawall Acked-by: Julia Lawall Cc: Ard Biesheuvel Cc: Sylvain Chouleur Signed-off-by: Matt Fleming diff --git a/fs/efivarfs/super.c b/fs/efivarfs/super.c index 01e3d6e..d7a7c53 100644 --- a/fs/efivarfs/super.c +++ b/fs/efivarfs/super.c @@ -157,14 +157,14 @@ static int efivarfs_callback(efi_char16_t *name16, efi_guid_t vendor, goto fail_inode; } - /* copied by the above to local storage in the dentry. */ - kfree(name); - efivar_entry_size(entry, &size); err = efivar_entry_add(entry, &efivarfs_list); if (err) goto fail_inode; + /* copied by the above to local storage in the dentry. */ + kfree(name); + inode_lock(inode); inode->i_private = entry; i_size_write(inode, size + sizeof(entry->var.Attributes)); -- cgit v0.10.2