From: Matt Fleming Date: Mon, 15 Aug 2016 14:29:20 +0000 (+0100) Subject: fs/efivarfs: Fix double kfree() in error path X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=22c2b77f419bdc9317f00b395283abd33157368e;p=GitHub%2Fmoto-9609%2Fandroid_kernel_motorola_exynos9610.git fs/efivarfs: Fix double kfree() in error path Julia reported that we may double free 'name' in efivarfs_callback(), and that this bug was introduced by commit 0d22f33bc37c ("efi: Don't use spinlocks for efi vars"). Move one of the kfree()s until after the point at which we know we are definitely on the success path. Reported-by: Julia Lawall Acked-by: Julia Lawall Cc: Ard Biesheuvel Cc: Sylvain Chouleur Signed-off-by: Matt Fleming --- diff --git a/fs/efivarfs/super.c b/fs/efivarfs/super.c index 01e3d6e53944..d7a7c53803c1 100644 --- a/fs/efivarfs/super.c +++ b/fs/efivarfs/super.c @@ -157,14 +157,14 @@ static int efivarfs_callback(efi_char16_t *name16, efi_guid_t vendor, goto fail_inode; } - /* copied by the above to local storage in the dentry. */ - kfree(name); - efivar_entry_size(entry, &size); err = efivar_entry_add(entry, &efivarfs_list); if (err) goto fail_inode; + /* copied by the above to local storage in the dentry. */ + kfree(name); + inode_lock(inode); inode->i_private = entry; i_size_write(inode, size + sizeof(entry->var.Attributes));