From 501bb4b0cb1debf2b495f0ba3980b97ceca652f5 Mon Sep 17 00:00:00 2001 From: Peter Maydell Date: Mon, 17 Feb 2014 18:55:33 +0000 Subject: linux-user: Fix error handling in lock_iovec() In lock_iovec() if lock_user() failed we were doing an unlock_user but not a free(vec), which is the wrong way round. We were also assuming that free() and unlock_user() don't touch errno, which is not guaranteed. Fix both these problems. Signed-off-by: Peter Maydell Signed-off-by: Riku Voipio --- linux-user/syscall.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) (limited to 'linux-user/syscall.c') diff --git a/linux-user/syscall.c b/linux-user/syscall.c index f370087..bb3e4b1 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -1707,6 +1707,7 @@ static struct iovec *lock_iovec(int type, abi_ulong target_addr, struct iovec *vec; abi_ulong total_len, max_len; int i; + int err = 0; if (count == 0) { errno = 0; @@ -1726,7 +1727,7 @@ static struct iovec *lock_iovec(int type, abi_ulong target_addr, target_vec = lock_user(VERIFY_READ, target_addr, count * sizeof(struct target_iovec), 1); if (target_vec == NULL) { - errno = EFAULT; + err = EFAULT; goto fail2; } @@ -1740,7 +1741,7 @@ static struct iovec *lock_iovec(int type, abi_ulong target_addr, abi_long len = tswapal(target_vec[i].iov_len); if (len < 0) { - errno = EINVAL; + err = EINVAL; goto fail; } else if (len == 0) { /* Zero length pointer is ignored. */ @@ -1748,7 +1749,7 @@ static struct iovec *lock_iovec(int type, abi_ulong target_addr, } else { vec[i].iov_base = lock_user(type, base, len, copy); if (!vec[i].iov_base) { - errno = EFAULT; + err = EFAULT; goto fail; } if (len > max_len - total_len) { @@ -1763,9 +1764,10 @@ static struct iovec *lock_iovec(int type, abi_ulong target_addr, return vec; fail: - free(vec); - fail2: unlock_user(target_vec, target_addr, 0); + fail2: + free(vec); + errno = err; return NULL; } -- cgit v1.1 From fff8c539bd69dce14c63827111e9d74e6b961317 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andreas=20F=C3=A4rber?= Date: Sat, 18 Jan 2014 07:38:30 +0100 Subject: linux-user: Implement BLKPG ioctl MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Andreas Färber Reviewed-by: Peter Maydell Signed-off-by: Riku Voipio --- linux-user/syscall.c | 1 + 1 file changed, 1 insertion(+) (limited to 'linux-user/syscall.c') diff --git a/linux-user/syscall.c b/linux-user/syscall.c index bb3e4b1..8f5a58e 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -107,6 +107,7 @@ int __clone2(int (*fn)(void *), void *child_stack_base, #include #include #include +#include #include "linux_loop.h" #include "cpu-uname.h" -- cgit v1.1 From 69d4c703a549f0630793a67b16a8fc6bc14c8654 Mon Sep 17 00:00:00 2001 From: Peter Maydell Date: Mon, 17 Feb 2014 18:55:34 +0000 Subject: linux-user: Fix error handling in target_to_host_semarray() Fix two issues in error handling in target_to_host_semarray(): * don't leak the host_array buffer if lock_user fails * return an error if malloc() fails v2: added missing * -Riku Voipio Signed-off-by: Peter Maydell Signed-off-by: Riku Voipio --- linux-user/syscall.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'linux-user/syscall.c') diff --git a/linux-user/syscall.c b/linux-user/syscall.c index 8f5a58e..1407b7a 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -2430,10 +2430,15 @@ static inline abi_long target_to_host_semarray(int semid, unsigned short **host_ nsems = semid_ds.sem_nsems; *host_array = malloc(nsems*sizeof(unsigned short)); + if (!*host_array) { + return -TARGET_ENOMEM; + } array = lock_user(VERIFY_READ, target_addr, nsems*sizeof(unsigned short), 1); - if (!array) + if (!array) { + free(*host_array); return -TARGET_EFAULT; + } for(i=0; i