From: Dan Carpenter <error27@gmail.com>
Date: Sun, 19 Jul 2009 11:46:09 +0000 (+0300)
Subject: lguest: dereferencing freed mem in add_eventfd()
X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=f294526279cda8934b0313ebd02184a16ba888c9;p=GitHub%2Fexynos8895%2Fandroid_kernel_samsung_universal8895.git

lguest: dereferencing freed mem in add_eventfd()

"new" was freed and then dereferenced.  Also the return value wasn't being
used so I modified the caller as well.

Compile tested only.  Found by smatch (http://repo.or.cz/w/smatch.git).

regards,
dan carpenter

Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
---

diff --git a/drivers/lguest/lguest_user.c b/drivers/lguest/lguest_user.c
index 9f9a2953b383..407722a8e0c4 100644
--- a/drivers/lguest/lguest_user.c
+++ b/drivers/lguest/lguest_user.c
@@ -52,8 +52,9 @@ static int add_eventfd(struct lguest *lg, unsigned long addr, int fd)
 	new->map[new->num].addr = addr;
 	new->map[new->num].event = eventfd_ctx_fdget(fd);
 	if (IS_ERR(new->map[new->num].event)) {
+		int err =  PTR_ERR(new->map[new->num].event);
 		kfree(new);
-		return PTR_ERR(new->map[new->num].event);
+		return err;
 	}
 	new->num++;
 
@@ -83,7 +84,7 @@ static int attach_eventfd(struct lguest *lg, const unsigned long __user *input)
 	err = add_eventfd(lg, addr, fd);
 	mutex_unlock(&lguest_lock);
 
-	return 0;
+	return err;
 }
 
 /*L:050 Sending an interrupt is done by writing LHREQ_IRQ and an interrupt