fs/efivarfs: Fix double kfree() in error path

Julia reported that we may double free 'name' in efivarfs_callback(), and that this bug was introduced by commit 0d22f33 ("efi: Don't use spinlocks for efi vars"). Move one of the kfree()s until after the point at which we know we are definitely on the success path. Reported-by: Julia Lawall <[email protected]> Acked-by: Julia Lawall <[email protected]> Cc: Ard Biesheuvel <[email protected]> Cc: Sylvain Chouleur <[email protected]> Signed-off-by: Matt Fleming <[email protected]>
tomthink · Sep 9, 2016 · 22c2b77 · 22c2b77
1 parent 0513fe1
commit 22c2b77
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/fs/efivarfs/super.c b/fs/efivarfs/super.c
@@ -157,14 +157,14 @@ static int efivarfs_callback(efi_char16_t *name16, efi_guid_t vendor,
 		goto fail_inode;
 	}
 
-	/* copied by the above to local storage in the dentry. */
-	kfree(name);
-
 	efivar_entry_size(entry, &size);
 	err = efivar_entry_add(entry, &efivarfs_list);
 	if (err)
 		goto fail_inode;
 
+	/* copied by the above to local storage in the dentry. */
+	kfree(name);
+
 	inode_lock(inode);
 	inode->i_private = entry;
 	i_size_write(inode, size + sizeof(entry->var.Attributes));