From: Dan Carpenter Date: Thu, 11 Jun 2015 08:51:16 +0000 (+0300) Subject: Smack: freeing an error pointer in smk_write_revoke_subj() X-Git-Tag: firefly_0821_release~176^2~1534^2~4^2 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=5430209497eeb01415c681aaac0d00f65d24a526;p=firefly-linux-kernel-4.4.55.git Smack: freeing an error pointer in smk_write_revoke_subj() This code used to rely on the fact that kfree(NULL) was a no-op, but then we changed smk_parse_smack() to return error pointers on failure instead of NULL. Calling kfree() on an error pointer will oops. I have re-arranged things a bit so that we only free things if they have been allocated. Fixes: e774ad683f42 ('smack: pass error code through pointers') Signed-off-by: Dan Carpenter --- diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c index f1c22a891b1a..5e0a64ebdf23 100644 --- a/security/smack/smackfs.c +++ b/security/smack/smackfs.c @@ -2253,8 +2253,8 @@ static const struct file_operations smk_access2_ops = { static ssize_t smk_write_revoke_subj(struct file *file, const char __user *buf, size_t count, loff_t *ppos) { - char *data = NULL; - const char *cp = NULL; + char *data; + const char *cp; struct smack_known *skp; struct smack_rule *sp; struct list_head *rule_list; @@ -2276,18 +2276,18 @@ static ssize_t smk_write_revoke_subj(struct file *file, const char __user *buf, if (copy_from_user(data, buf, count) != 0) { rc = -EFAULT; - goto free_out; + goto out_data; } cp = smk_parse_smack(data, count); if (IS_ERR(cp)) { rc = PTR_ERR(cp); - goto free_out; + goto out_data; } skp = smk_find_entry(cp); if (skp == NULL) - goto free_out; + goto out_cp; rule_list = &skp->smk_rules; rule_lock = &skp->smk_rules_lock; @@ -2299,9 +2299,11 @@ static ssize_t smk_write_revoke_subj(struct file *file, const char __user *buf, mutex_unlock(rule_lock); -free_out: - kfree(data); +out_cp: kfree(cp); +out_data: + kfree(data); + return rc; }