Julia reported that we may double free 'name' in efivarfs_callback(),
and that this bug was introduced by commit 0d22f33bc37c ("efi: Don't
use spinlocks for efi vars").Move one of the kfree()s until after the point at which we know we are definitely on the success path. Reported-by: Julia Lawall <[email protected]> Acked-by: Julia Lawall <[email protected]> Cc: Ard Biesheuvel <[email protected]> Cc: Sylvain Chouleur <[email protected]> Signed-off-by: Matt Fleming <[email protected]> --- fs/efivarfs/super.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/fs/efivarfs/super.c b/fs/efivarfs/super.c index 01e3d6e53944..d7a7c53803c1 100644 --- a/fs/efivarfs/super.c +++ b/fs/efivarfs/super.c @@ -157,14 +157,14 @@ static int efivarfs_callback(efi_char16_t *name16, efi_guid_t vendor, goto fail_inode; } - /* copied by the above to local storage in the dentry. */ - kfree(name); - efivar_entry_size(entry, &size); err = efivar_entry_add(entry, &efivarfs_list); if (err) goto fail_inode; + /* copied by the above to local storage in the dentry. */ + kfree(name); + inode_lock(inode); inode->i_private = entry; i_size_write(inode, size + sizeof(entry->var.Attributes)); -- 2.9.3
