Commit ba8c4234 authored Jul 10, 2020 by Dan Carpenter Committed by Boris Ostrovsky Jul 10, 2020

xen/xenbus: Fix a double free in xenbus_map_ring_pv()

When there is an error the caller frees "info->node" so the free here
will result in a double free. We should just delete first kfree().

Fixes: 3848e4e0 ("xen/xenbus: avoid large structs and arrays on the stack")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Link: https://lore.kernel.org/r/20200710113610.GA92345@mwanda

Reviewed-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>

parent 578c1bb9

drivers/xen/xenbus/xenbus_client.c

+1 −3

Original line number	Diff line number	Diff line
		@@ -693,10 +693,8 @@ static int xenbus_map_ring_pv(struct xenbus_device *dev,
		bool leaked;

		area = alloc_vm_area(XEN_PAGE_SIZE * nr_grefs, info->ptes);
		if (!area) {
		kfree(node);
		if (!area)
		return -ENOMEM;
		}

		for (i = 0; i < nr_grefs; i++)
		info->phys_addrs[i] =