From: Colin Ian King <colin.king@canonical.com>
Date: Tue, 31 Jul 2018 14:02:25 +0000 (+0100)
Subject: xen/gntdev: don't dereference a null gntdev_dmabuf on allocation failure
X-Git-Url: http://git.maquefel.me/?a=commitdiff_plain;h=2789e83c933d7da583e592d7958e87493c889605;p=linux.git

xen/gntdev: don't dereference a null gntdev_dmabuf on allocation failure

Currently when the allocation of gntdev_dmabuf fails, the error exit
path will call dmabuf_imp_free_storage and causes a null pointer
dereference on gntdev_dmabuf.  Fix this by adding an error exit path
that won't free gntdev_dmabuf.

Detected by CoverityScan, CID#1472124 ("Dereference after null check")

Fixes: bf8dc55b1358 ("xen/gntdev: Implement dma-buf import functionality")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
---

diff --git a/drivers/xen/gntdev-dmabuf.c b/drivers/xen/gntdev-dmabuf.c
index faaa4d3970ea5..589fd923c5508 100644
--- a/drivers/xen/gntdev-dmabuf.c
+++ b/drivers/xen/gntdev-dmabuf.c
@@ -569,7 +569,7 @@ static struct gntdev_dmabuf *dmabuf_imp_alloc_storage(int count)
 
 	gntdev_dmabuf = kzalloc(sizeof(*gntdev_dmabuf), GFP_KERNEL);
 	if (!gntdev_dmabuf)
-		goto fail;
+		goto fail_no_free;
 
 	gntdev_dmabuf->u.imp.refs = kcalloc(count,
 					    sizeof(gntdev_dmabuf->u.imp.refs[0]),
@@ -592,6 +592,7 @@ static struct gntdev_dmabuf *dmabuf_imp_alloc_storage(int count)
 
 fail:
 	dmabuf_imp_free_storage(gntdev_dmabuf);
+fail_no_free:
 	return ERR_PTR(-ENOMEM);
 }