If lock_user_struct fails, frame is uninitialized but the badframe label unconditionally calls unlock_user_struct on it. Handle the lock failure inline so badframe is only reached with a valid lock.
Signed-off-by: Matt Turner <[email protected]> --- linux-user/xtensa/signal.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git ./linux-user/xtensa/signal.c ./linux-user/xtensa/signal.c index e3f9da322b..4990c50045 100644 --- ./linux-user/xtensa/signal.c +++ ./linux-user/xtensa/signal.c @@ -355,7 +355,8 @@ long do_rt_sigreturn(CPUXtensaState *env) trace_user_do_rt_sigreturn(env, frame_addr); if (!lock_user_struct(VERIFY_READ, frame, frame_addr, 1)) { - goto badframe; + force_sig(TARGET_SIGSEGV); + return -QEMU_ESIGRETURN; } target_to_host_sigset(&set, &frame->uc.tuc_sigmask); set_sigmask(&set); -- 2.53.0
