fs/namespace.c:dup_namespace(): fix a use after free

All of lore.kernel.org
 help / color / mirror / Atom feed

* fs/namespace.c:dup_namespace(): fix a use after free
@ 2006-03-15 16:37 Adrian Bunk
  0 siblings, 0 replies; only message in thread
From: Adrian Bunk @ 2006-03-15 16:37 UTC (permalink / raw)
  To: linux-kernel

The Coverity checker spotted the following bug in dup_namespace():

<--  snip  -->

        if (!new_ns->root) {
                up_write(&namespace_sem);
                kfree(new_ns);
                goto out;
        }
...
out:
        return new_ns;

<--  snip  -->


Callers expect a non-NULL result to not be freed.


Signed-off-by: Adrian Bunk <bunk@stusta.de>

--- linux-2.6.16-rc6-mm1-full/fs/namespace.c.old	2006-03-14 03:22:30.000000000 +0100
+++ linux-2.6.16-rc6-mm1-full/fs/namespace.c	2006-03-14 03:23:14.000000000 +0100
@@ -1389,7 +1389,7 @@ struct namespace *dup_namespace(struct t
 
 	new_ns = kmalloc(sizeof(struct namespace), GFP_KERNEL);
 	if (!new_ns)
-		goto out;
+		return NULL;
 
 	atomic_set(&new_ns->count, 1);
 	INIT_LIST_HEAD(&new_ns->list);
@@ -1403,7 +1403,7 @@ struct namespace *dup_namespace(struct t
 	if (!new_ns->root) {
 		up_write(&namespace_sem);
 		kfree(new_ns);
-		goto out;
+		return NULL;
 	}
 	spin_lock(&vfsmount_lock);
 	list_add_tail(&new_ns->list, &new_ns->root->mnt_list);
@@ -1444,7 +1444,6 @@ struct namespace *dup_namespace(struct t
 	if (altrootmnt)
 		mntput(altrootmnt);
 
-out:
 	return new_ns;
 }
 


^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2006-03-15 16:37 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-03-15 16:37 fs/namespace.c:dup_namespace(): fix a use after free Adrian Bunk

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.