[Bug 78441] New: kmem_cache_free() shouldn't be called when the call to kmem_cache

public inbox for linux-rdma@vger.kernel.org
 help / color / mirror / Atom feed

* [Bug 78441] New: kmem_cache_free() shouldn't be called when the call to kmem_cache_alloc() fails.
@ 2014-06-20  3:17 bugzilla-daemon-590EEB7GvNiWaY/ihj7yzEB+6BGkLq7r
  0 siblings, 0 replies; only message in thread
From: bugzilla-daemon-590EEB7GvNiWaY/ihj7yzEB+6BGkLq7r @ 2014-06-20  3:17 UTC (permalink / raw)
  To: linux-rdma-u79uwXL29TY76Z2rM5mHXA

https://bugzilla.kernel.org/show_bug.cgi?id=78441

            Bug ID: 78441
           Summary: kmem_cache_free() shouldn't be called when the call to
                    kmem_cache_alloc() fails.
           Product: Drivers
           Version: 2.5
    Kernel Version: 2.6.39
          Hardware: All
                OS: Linux
              Tree: Mainline
            Status: NEW
          Severity: normal
          Priority: P1
         Component: Infiniband/RDMA
          Assignee: drivers_infiniband-rdma-ztI5WcYan/vQLgFONoPN62D2FQJk+8+b@public.gmane.org
          Reporter: rucsoftsec-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org
        Regression: No

in Function transport_generic_get_mem() at
drivers/target/target_core_transport.c:4340, function kmem_cache_free() is
called even when the call to kmem_cache_alloc() failed.So an invalid memory
access may be triggered.
The related code snippets in transport_generic_get_mem() are as following.
transport_generic_get_mem() @@drivers/target/target_core_transport.c:4340
4339 static int
4340 transport_generic_get_mem(struct se_cmd *cmd, u32 length, u32 dma_size)
4341 {
4342         unsigned char *buf;
4343         struct se_mem *se_mem;
     ...
4360                 if (!(T_TASK(cmd)->t_mem_bidi_list)) {
4361                         kfree(T_TASK(cmd)->t_mem_list);
4362                         return -ENOMEM;
4363                 }
4364         }
4365 
4366         while (length) {
4367                 se_mem = kmem_cache_zalloc(se_mem_cache, GFP_KERNEL);
4368                 if (!(se_mem)) {
4369                         printk(KERN_ERR "Unable to allocate struct
se_mem\n");
4370                         goto out;
4371                 }
     ...
4402 
4403         return 0;
4404 out:
4405         if (se_mem)
4406                 __free_pages(se_mem->se_page, 0);
4407         kmem_cache_free(se_mem_cache, se_mem);
4408         return -1;
4409 }

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2014-06-20  3:17 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-06-20  3:17 [Bug 78441] New: kmem_cache_free() shouldn't be called when the call to kmem_cache_alloc() fails bugzilla-daemon-590EEB7GvNiWaY/ihj7yzEB+6BGkLq7r

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox