Post p9_fd_poll() error path which checks m->poll_waddr[i] for PTR_ERR
value has the following problems.
* It's completely unused. Error value is set iff NULL @wait_address
has been specified to p9_pollwait() which is guaranteed not to
happen.
* It dereferences @m after deallocating it (introduced by
571ffeaf and
spotted by Raja R Harinath.
* It returned the wrong value on error. It should return
poll_waddr[i] but it returnes poll_waddr (introduced by
571ffeaf).
* p9_mux_poll_stop() doesn't handle PTR_ERR value. It will try to
operate on the PTR_ERR value as if it's a normal pointer and cause
oops.
As the error path is bogus in the first place, there's no reason to
hold onto it. Kill it.
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Eric Van Hensbergen <ericvh@gmail.com>
Cc: Raja R Harinath <harinath@hurrynot.org>
return;
}
- if (!wait_address) {
- P9_DPRINTK(P9_DEBUG_ERROR, "no wait_address\n");
- pwait->wait_addr = ERR_PTR(-EIO);
- return;
- }
-
pwait->conn = m;
pwait->wait_addr = wait_address;
init_waitqueue_func_entry(&pwait->wait, p9_pollwake);
static struct p9_conn *p9_conn_create(struct p9_client *client)
{
- int i, n;
+ int n;
struct p9_conn *m;
P9_DPRINTK(P9_DEBUG_MUX, "client %p msize %d\n", client, client->msize);
set_bit(Wpending, &m->wsched);
}
- for (i = 0; i < ARRAY_SIZE(m->poll_wait); i++) {
- if (IS_ERR(m->poll_wait[i].wait_addr)) {
- p9_mux_poll_stop(m);
- kfree(m);
- /* return the error code */
- return (void *)m->poll_wait[i].wait_addr;
- }
- }
-
return m;
}
git://ftp.safe.ca / safe / jmp / linux-2.6 / commitdiff