[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] bug in xenbus_dev.c?

To: "List: Xen Developers" <xen-devel@xxxxxxxxxxxxxxxxxxx>
From: "James Harper" <james.harper@xxxxxxxxxxxxxxxx>
Date: Sun, 21 Dec 2008 14:32:51 +1100
Delivery-date: Sat, 20 Dec 2008 19:33:23 -0800
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
Thread-index: AcljHM1SD22YfGTjR/C/pV37F8pIdw==
Thread-topic: bug in xenbus_dev.c?

I'm implementing a userspace channel in the GPLPV drivers so that the
xenstore tools (once ported) can work, and I noticed this code in the
xenbus_dev_write() function in xenbus_dev.c:

"
        case XS_SET_PERMS:
                if (msg_type == XS_TRANSACTION_START) {
-->A                    trans = kmalloc(sizeof(*trans), GFP_KERNEL);
                        if (!trans) {
                                rc = -ENOMEM;
                                goto out;
                        }
                }

                reply = xenbus_dev_request_and_reply(&u->u.msg);
                if (IS_ERR(reply)) {
-->B                    kfree(trans);
                        rc = PTR_ERR(reply);
                        goto out;
                }
"

The code at A is only executed if 'msg_type == XS_TRANSACTION_START',
but isn't it possible for B to be executed in the
non-XS_TRANSACTION_START code path, resulting in kfree(NULL)?

James


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

Follow-Ups:
- Re: [Xen-devel] bug in xenbus_dev.c?
  - From: Keir Fraser

Prev by Date: Re: [Xen-devel] Re: 2.6.26-rc8 pv_ops causes Unhandled invalid opcode fault/trap
Next by Date: [Xen-devel] xenbus message id's
Previous by thread: [Xen-devel] Weekly VMX status report. Xen: #18926 & Xen0: #763
Next by thread: Re: [Xen-devel] bug in xenbus_dev.c?
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.