From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752334AbcAFKFh (ORCPT ); Wed, 6 Jan 2016 05:05:37 -0500 Received: from aserp1040.oracle.com ([141.146.126.69]:36301 "EHLO aserp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752094AbcAFKFd (ORCPT ); Wed, 6 Jan 2016 05:05:33 -0500 Date: Wed, 6 Jan 2016 13:05:03 +0300 From: Dan Carpenter To: Jens Axboe , Al Viro Cc: Asai Thambi SP , Selvan Mani , Jeff Moyer , Michal Hocko , Rasmus Villemoes , linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: [patch] mtip32xx: calling kfree() on an error pointer Message-ID: <20160106100503.GH23185@mwanda> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.24 (2015-08-30) X-Source-IP: userv0022.oracle.com [156.151.31.74] Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org If memdup_user() fails then we end up passing an ERR_PTR to kfree() which is a bug. Fixes: 85b4d87c9962 ('mtip32xx: don't open-code memdup_user()') Signed-off-by: Dan Carpenter diff --git a/drivers/block/mtip32xx/mtip32xx.c b/drivers/block/mtip32xx/mtip32xx.c index 618c24f..15bec40 100644 --- a/drivers/block/mtip32xx/mtip32xx.c +++ b/drivers/block/mtip32xx/mtip32xx.c @@ -2032,6 +2032,7 @@ static int exec_drive_taskfile(struct driver_data *dd, outbuf = memdup_user(buf + outtotal, taskout); if (IS_ERR(outbuf)) { err = PTR_ERR(outbuf); + outbuf = NULL; goto abort; } outbuf_dma = pci_map_single(dd->pdev, @@ -2049,6 +2050,7 @@ static int exec_drive_taskfile(struct driver_data *dd, inbuf = memdup_user(buf + intotal, taskin); if (IS_ERR(inbuf)) { err = PTR_ERR(inbuf); + inbuf = NULL; goto abort; } inbuf_dma = pci_map_single(dd->pdev,