All of lore.kernel.org
 help / color / mirror / Atom feed
From: bugzilla-daemon-590EEB7GvNiWaY/ihj7yzEB+6BGkLq7r@public.gmane.org
To: linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Subject: [Bug 78441] New: kmem_cache_free() shouldn't be called when the call to kmem_cache_alloc() fails.
Date: Fri, 20 Jun 2014 03:17:49 +0000	[thread overview]
Message-ID: <bug-78441-11804@https.bugzilla.kernel.org/> (raw)

https://bugzilla.kernel.org/show_bug.cgi?id=78441

            Bug ID: 78441
           Summary: kmem_cache_free() shouldn't be called when the call to
                    kmem_cache_alloc() fails.
           Product: Drivers
           Version: 2.5
    Kernel Version: 2.6.39
          Hardware: All
                OS: Linux
              Tree: Mainline
            Status: NEW
          Severity: normal
          Priority: P1
         Component: Infiniband/RDMA
          Assignee: drivers_infiniband-rdma-ztI5WcYan/vQLgFONoPN62D2FQJk+8+b@public.gmane.org
          Reporter: rucsoftsec-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org
        Regression: No

in Function transport_generic_get_mem() at
drivers/target/target_core_transport.c:4340, function kmem_cache_free() is
called even when the call to kmem_cache_alloc() failed.So an invalid memory
access may be triggered.
The related code snippets in transport_generic_get_mem() are as following.
transport_generic_get_mem() @@drivers/target/target_core_transport.c:4340
4339 static int
4340 transport_generic_get_mem(struct se_cmd *cmd, u32 length, u32 dma_size)
4341 {
4342         unsigned char *buf;
4343         struct se_mem *se_mem;
     ...
4360                 if (!(T_TASK(cmd)->t_mem_bidi_list)) {
4361                         kfree(T_TASK(cmd)->t_mem_list);
4362                         return -ENOMEM;
4363                 }
4364         }
4365 
4366         while (length) {
4367                 se_mem = kmem_cache_zalloc(se_mem_cache, GFP_KERNEL);
4368                 if (!(se_mem)) {
4369                         printk(KERN_ERR "Unable to allocate struct
se_mem\n");
4370                         goto out;
4371                 }
     ...
4402 
4403         return 0;
4404 out:
4405         if (se_mem)
4406                 __free_pages(se_mem->se_page, 0);
4407         kmem_cache_free(se_mem_cache, se_mem);
4408         return -1;
4409 }

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

                 reply	other threads:[~2014-06-20  3:17 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=bug-78441-11804@https.bugzilla.kernel.org/ \
    --to=bugzilla-daemon-590eeb7gvniway/ihj7yzeb+6bgklq7r@public.gmane.org \
    --cc=linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.