public inbox for kernel-janitors@vger.kernel.org
 help / color / mirror / Atom feed
* [patch] cciss: freeing uninitialized data on error path
@ 2010-09-11 23:39 Dan Carpenter
  2010-09-13 12:09 ` Jens Axboe
  0 siblings, 1 reply; 2+ messages in thread
From: Dan Carpenter @ 2010-09-11 23:39 UTC (permalink / raw)
  To: kernel-janitors

The "h->scatter_list" is allocated inside a for loop.  If any of those
allocations fail, then the rest of the list is uninitialized data.  When
we free it we should start from the top and free backwards so that we
don't call kfree() on uninitialized pointers.

Also if the allocation for "h->scatter_list" fails then we would get an
Oops here.  I should have noticed this when I send: 4ee69851c "cciss:
handle allocation failure."  but I didn't.  Sorry about that.

Signed-off-by: Dan Carpenter <error27@gmail.com>

diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c
index 6124c2f..5e4fadc 100644
--- a/drivers/block/cciss.c
+++ b/drivers/block/cciss.c
@@ -4792,7 +4792,7 @@ static int __devinit cciss_init_one(struct pci_dev *pdev,
 clean4:
 	kfree(h->cmd_pool_bits);
 	/* Free up sg elements */
-	for (k = 0; k < h->nr_cmds; k++)
+	for (k-- ; k >= 0; k--)
 		kfree(h->scatter_list[k]);
 	kfree(h->scatter_list);
 	cciss_free_sg_chain_blocks(h->cmd_sg_list, h->nr_cmds);

^ permalink raw reply related	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2010-09-13 12:09 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-09-11 23:39 [patch] cciss: freeing uninitialized data on error path Dan Carpenter
2010-09-13 12:09 ` Jens Axboe

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox