* [patch] mtip32xx: calling kfree() on an error pointer
@ 2016-01-06 10:05 Dan Carpenter
2016-01-06 13:08 ` Al Viro
0 siblings, 1 reply; 4+ messages in thread
From: Dan Carpenter @ 2016-01-06 10:05 UTC (permalink / raw)
To: Jens Axboe, Al Viro
Cc: Asai Thambi SP, Selvan Mani, Jeff Moyer, Michal Hocko,
Rasmus Villemoes, linux-kernel, kernel-janitors
If memdup_user() fails then we end up passing an ERR_PTR to kfree()
which is a bug.
Fixes: 85b4d87c9962 ('mtip32xx: don't open-code memdup_user()')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/drivers/block/mtip32xx/mtip32xx.c b/drivers/block/mtip32xx/mtip32xx.c
index 618c24f..15bec40 100644
--- a/drivers/block/mtip32xx/mtip32xx.c
+++ b/drivers/block/mtip32xx/mtip32xx.c
@@ -2032,6 +2032,7 @@ static int exec_drive_taskfile(struct driver_data *dd,
outbuf = memdup_user(buf + outtotal, taskout);
if (IS_ERR(outbuf)) {
err = PTR_ERR(outbuf);
+ outbuf = NULL;
goto abort;
}
outbuf_dma = pci_map_single(dd->pdev,
@@ -2049,6 +2050,7 @@ static int exec_drive_taskfile(struct driver_data *dd,
inbuf = memdup_user(buf + intotal, taskin);
if (IS_ERR(inbuf)) {
err = PTR_ERR(inbuf);
+ inbuf = NULL;
goto abort;
}
inbuf_dma = pci_map_single(dd->pdev,
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [patch] mtip32xx: calling kfree() on an error pointer
2016-01-06 10:05 [patch] mtip32xx: calling kfree() on an error pointer Dan Carpenter
@ 2016-01-06 13:08 ` Al Viro
2016-01-06 13:16 ` Dan Carpenter
0 siblings, 1 reply; 4+ messages in thread
From: Al Viro @ 2016-01-06 13:08 UTC (permalink / raw)
To: Dan Carpenter
Cc: Jens Axboe, Asai Thambi SP, Selvan Mani, Jeff Moyer, Michal Hocko,
Rasmus Villemoes, linux-kernel, kernel-janitors
On Wed, Jan 06, 2016 at 01:05:03PM +0300, Dan Carpenter wrote:
> If memdup_user() fails then we end up passing an ERR_PTR to kfree()
> which is a bug.
Mind if I fold it (with credit, obviously)?
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [patch] mtip32xx: calling kfree() on an error pointer
2016-01-06 13:08 ` Al Viro
@ 2016-01-06 13:16 ` Dan Carpenter
2016-01-06 13:26 ` Al Viro
0 siblings, 1 reply; 4+ messages in thread
From: Dan Carpenter @ 2016-01-06 13:16 UTC (permalink / raw)
To: Al Viro
Cc: Jens Axboe, Asai Thambi SP, Selvan Mani, Jeff Moyer, Michal Hocko,
Rasmus Villemoes, linux-kernel, kernel-janitors
On Wed, Jan 06, 2016 at 01:08:00PM +0000, Al Viro wrote:
> On Wed, Jan 06, 2016 at 01:05:03PM +0300, Dan Carpenter wrote:
> > If memdup_user() fails then we end up passing an ERR_PTR to kfree()
> > which is a bug.
>
> Mind if I fold it (with credit, obviously)?
No problem, that's fine.
regards,
dan carpenter
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [patch] mtip32xx: calling kfree() on an error pointer
2016-01-06 13:16 ` Dan Carpenter
@ 2016-01-06 13:26 ` Al Viro
0 siblings, 0 replies; 4+ messages in thread
From: Al Viro @ 2016-01-06 13:26 UTC (permalink / raw)
To: Dan Carpenter
Cc: Jens Axboe, Asai Thambi SP, Selvan Mani, Jeff Moyer, Michal Hocko,
Rasmus Villemoes, linux-kernel, kernel-janitors
On Wed, Jan 06, 2016 at 04:16:50PM +0300, Dan Carpenter wrote:
> On Wed, Jan 06, 2016 at 01:08:00PM +0000, Al Viro wrote:
> > On Wed, Jan 06, 2016 at 01:05:03PM +0300, Dan Carpenter wrote:
> > > If memdup_user() fails then we end up passing an ERR_PTR to kfree()
> > > which is a bug.
> >
> > Mind if I fold it (with credit, obviously)?
>
> No problem, that's fine.
Done.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2016-01-06 13:26 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-01-06 10:05 [patch] mtip32xx: calling kfree() on an error pointer Dan Carpenter
2016-01-06 13:08 ` Al Viro
2016-01-06 13:16 ` Dan Carpenter
2016-01-06 13:26 ` Al Viro
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).