fs/efivarfs: Fix double kfree() in error path
authorMatt Fleming <matt@codeblueprint.co.uk>
Mon, 15 Aug 2016 14:29:20 +0000 (15:29 +0100)
committerMatt Fleming <matt@codeblueprint.co.uk>
Fri, 9 Sep 2016 15:08:48 +0000 (16:08 +0100)
Julia reported that we may double free 'name' in efivarfs_callback(),
and that this bug was introduced by commit 0d22f33bc37c ("efi: Don't
use spinlocks for efi vars").

Move one of the kfree()s until after the point at which we know we are
definitely on the success path.

Reported-by: Julia Lawall <julia.lawall@lip6.fr>
Acked-by: Julia Lawall <julia.lawall@lip6.fr>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Sylvain Chouleur <sylvain.chouleur@gmail.com>
Signed-off-by: Matt Fleming <matt@codeblueprint.co.uk>
fs/efivarfs/super.c

index 01e3d6e53944bb7c5d1701c83ca2567058f8b434..d7a7c53803c1bfd0254d0479851cf259cea29f7c 100644 (file)
@@ -157,14 +157,14 @@ static int efivarfs_callback(efi_char16_t *name16, efi_guid_t vendor,
                goto fail_inode;
        }
 
-       /* copied by the above to local storage in the dentry. */
-       kfree(name);
-
        efivar_entry_size(entry, &size);
        err = efivar_entry_add(entry, &efivarfs_list);
        if (err)
                goto fail_inode;
 
+       /* copied by the above to local storage in the dentry. */
+       kfree(name);
+
        inode_lock(inode);
        inode->i_private = entry;
        i_size_write(inode, size + sizeof(entry->var.Attributes));