xen/gntdev: don't dereference a null gntdev_dmabuf on allocation failure

Currently when the allocation of gntdev_dmabuf fails, the error exit path will call dmabuf_imp_free_storage and causes a null pointer dereference on gntdev_dmabuf. Fix this by adding an error exit path that won't free gntdev_dmabuf. Detected by CoverityScan, CID#1472124 ("Dereference after null check") Fixes: bf8dc55 ("xen/gntdev: Implement dma-buf import functionality") Signed-off-by: Colin Ian King <[email protected]> Reviewed-by: Boris Ostrovsky <[email protected]> Signed-off-by: Boris Ostrovsky <[email protected]>
otyshchenko1 · Jul 31, 2018 · 2789e83 · 2789e83
1 parent 47b428d
commit 2789e83
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/drivers/xen/gntdev-dmabuf.c b/drivers/xen/gntdev-dmabuf.c
@@ -569,7 +569,7 @@ static struct gntdev_dmabuf *dmabuf_imp_alloc_storage(int count)
 
 	gntdev_dmabuf = kzalloc(sizeof(*gntdev_dmabuf), GFP_KERNEL);
 	if (!gntdev_dmabuf)
-		goto fail;
+		goto fail_no_free;
 
 	gntdev_dmabuf->u.imp.refs = kcalloc(count,
 					    sizeof(gntdev_dmabuf->u.imp.refs[0]),
@@ -592,6 +592,7 @@ static struct gntdev_dmabuf *dmabuf_imp_alloc_storage(int count)
 
 fail:
 	dmabuf_imp_free_storage(gntdev_dmabuf);
+fail_no_free:
 	return ERR_PTR(-ENOMEM);
 }