In function xen_9pfs_front_probe(), variable len is checked against 0 to to check the case that xenbus_read() fails. However, xenbus_read() may return an ERR_PTR pointer even aften assigning a non-zero value to len. As a result, the check of len cannot prevent from accessing bad memory.
Signed-off-by: Pan Bian <bianpan2...@163.com> --- net/9p/trans_xen.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/9p/trans_xen.c b/net/9p/trans_xen.c index 6ad3e04..c548781 100644 --- a/net/9p/trans_xen.c +++ b/net/9p/trans_xen.c @@ -389,7 +389,7 @@ static int xen_9pfs_front_probe(struct xenbus_device *dev, unsigned int max_rings, max_ring_order, len = 0; versions = xenbus_read(XBT_NIL, dev->otherend, "versions", &len); - if (!len) + if (IS_ERR(versions)) return -EINVAL; if (strcmp(versions, "1")) { kfree(versions); -- 1.9.1