[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] bug in xenbus_dev.c?

  • To: "List: Xen Developers" <xen-devel@xxxxxxxxxxxxxxxxxxx>
  • From: "James Harper" <james.harper@xxxxxxxxxxxxxxxx>
  • Date: Sun, 21 Dec 2008 14:32:51 +1100
  • Delivery-date: Sat, 20 Dec 2008 19:33:23 -0800
  • List-id: Xen developer discussion <xen-devel.lists.xensource.com>
  • Thread-index: AcljHM1SD22YfGTjR/C/pV37F8pIdw==
  • Thread-topic: bug in xenbus_dev.c?

I'm implementing a userspace channel in the GPLPV drivers so that the
xenstore tools (once ported) can work, and I noticed this code in the
xenbus_dev_write() function in xenbus_dev.c:

        case XS_SET_PERMS:
                if (msg_type == XS_TRANSACTION_START) {
-->A                    trans = kmalloc(sizeof(*trans), GFP_KERNEL);
                        if (!trans) {
                                rc = -ENOMEM;
                                goto out;

                reply = xenbus_dev_request_and_reply(&u->u.msg);
                if (IS_ERR(reply)) {
-->B                    kfree(trans);
                        rc = PTR_ERR(reply);
                        goto out;

The code at A is only executed if 'msg_type == XS_TRANSACTION_START',
but isn't it possible for B to be executed in the
non-XS_TRANSACTION_START code path, resulting in kfree(NULL)?


Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.