From b119f0178fd86876d0678007dfcf435ab8bb7568 Mon Sep 17 00:00:00 2001
From: Juergen Gross <jgross@suse.com>
Date: Wed, 7 Feb 2024 13:52:13 +0100
Subject: [PATCH] Mini-OS: fix 9pfs frontend error path

The early error exit in p9_stat() returns without zeroing the p9_stat
buffer, resulting in free() being called with an uninitialized pointer.

Fix that by calling free_stat() in p9_stat() in case of returning an
error and potentially having allocated strings.

Reported-by: Julien Grall <julien@xen.org>
Fixes: 2d1dfccd3aa3 ("Mini-OS: add read and write support to 9pfsfront")
Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
---
 9pfront.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/9pfront.c b/9pfront.c
index 315089b..042879a 100644
--- a/9pfront.c
+++ b/9pfront.c
@@ -728,6 +728,8 @@ static int p9_stat(struct dev_9pfs *dev, uint32_t fid, struct p9_stat *stat)
            &stat->extension, &stat->n_uid, &stat->n_gid, &stat->n_muid);
 
     ret = req->result;
+    if ( ret )
+        free_stat(&stat);
 
     put_free_req(dev, req);
 
@@ -932,13 +934,13 @@ static int write_9pfs(struct file *file, const void *buf, size_t nbytes)
     if ( f9pfs->append )
     {
         ret = p9_stat(f9pfs->dev, f9pfs->fid, &stat);
-        free_stat(&stat);
         if ( ret )
         {
             errno = EIO;
             return -1;
         }
         file->offset = stat.length;
+        free_stat(&stat);
     }
 
     ret = p9_write(f9pfs->dev, f9pfs->fid, file->offset, buf, nbytes);
-- 
2.39.5