From 2789e83c933d7da583e592d7958e87493c889605 Mon Sep 17 00:00:00 2001 From: Colin Ian King Date: Tue, 31 Jul 2018 15:02:25 +0100 Subject: [PATCH] xen/gntdev: don't dereference a null gntdev_dmabuf on allocation failure Currently when the allocation of gntdev_dmabuf fails, the error exit path will call dmabuf_imp_free_storage and causes a null pointer dereference on gntdev_dmabuf. Fix this by adding an error exit path that won't free gntdev_dmabuf. Detected by CoverityScan, CID#1472124 ("Dereference after null check") Fixes: bf8dc55b1358 ("xen/gntdev: Implement dma-buf import functionality") Signed-off-by: Colin Ian King Reviewed-by: Boris Ostrovsky Signed-off-by: Boris Ostrovsky --- drivers/xen/gntdev-dmabuf.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/xen/gntdev-dmabuf.c b/drivers/xen/gntdev-dmabuf.c index faaa4d3970ea..589fd923c550 100644 --- a/drivers/xen/gntdev-dmabuf.c +++ b/drivers/xen/gntdev-dmabuf.c @@ -569,7 +569,7 @@ static struct gntdev_dmabuf *dmabuf_imp_alloc_storage(int count) gntdev_dmabuf = kzalloc(sizeof(*gntdev_dmabuf), GFP_KERNEL); if (!gntdev_dmabuf) - goto fail; + goto fail_no_free; gntdev_dmabuf->u.imp.refs = kcalloc(count, sizeof(gntdev_dmabuf->u.imp.refs[0]), @@ -592,6 +592,7 @@ static struct gntdev_dmabuf *dmabuf_imp_alloc_storage(int count) fail: dmabuf_imp_free_storage(gntdev_dmabuf); +fail_no_free: return ERR_PTR(-ENOMEM); } -- 2.11.0