From: Julia Lawall on 28 Mar 2010 12:10 From: Julia Lawall <julia(a)diku.dk> If the kfree is executed, the dereference of range afterwards will represent a use after free. Added goto out, as done in the other nearby error handling code. A simplified version of the semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // <smpl> @@ expression x,e; identifier f; iterator I; statement S; @@ *kfree(x); .... when != &x when != x = e when != I(x,...) S *x->f // </smpl> Signed-off-by: Julia Lawall <julia(a)diku.dk> --- fs/btrfs/ioctl.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c index 2845c6c..dacbb52 100644 --- a/fs/btrfs/ioctl.c +++ b/fs/btrfs/ioctl.c @@ -1375,6 +1375,7 @@ static int btrfs_ioctl_defrag(struct file *file, void __user *argp) sizeof(*range))) { ret = -EFAULT; kfree(range); + goto out; } /* compression requires us to start the IO */ if ((range->flags & BTRFS_DEFRAG_RANGE_COMPRESS)) { -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo(a)vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
|
Pages: 1 Prev: video/sn9c102: improve error handling Next: [PATCH] Add hotplug support to mcp251x driver |