diff options
author | Dan Carpenter <dan.carpenter@oracle.com> | 2017-01-30 10:55:04 +0100 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2017-01-30 16:37:55 -0500 |
commit | cdaf25dfc058ee6f7a7b2e2353de00fa288c0cd4 (patch) | |
tree | a45096fd9e8aaeea2eac1f1999a3d17dfeb0d02b /net/smc | |
parent | 1930b60352e7e195f55b27cde15d2a8f43342a8b (diff) | |
download | op-kernel-dev-cdaf25dfc058ee6f7a7b2e2353de00fa288c0cd4.zip op-kernel-dev-cdaf25dfc058ee6f7a7b2e2353de00fa288c0cd4.tar.gz |
smc: some potential use after free bugs
Say we got really unlucky and these failed on the last iteration, then
it could lead to a use after free bug.
Fixes: cd6851f30386 ("smc: remote memory buffers (RMBs)")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Ursula Braun <ubraun@linux.vnet.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/smc')
-rw-r--r-- | net/smc/smc_core.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/net/smc/smc_core.c b/net/smc/smc_core.c index 8b1d343..0eac633 100644 --- a/net/smc/smc_core.c +++ b/net/smc/smc_core.c @@ -532,6 +532,7 @@ int smc_sndbuf_create(struct smc_sock *smc) __GFP_NORETRY); if (!sndbuf_desc->cpu_addr) { kfree(sndbuf_desc); + sndbuf_desc = NULL; /* if send buffer allocation has failed, * try a smaller one */ @@ -543,6 +544,7 @@ int smc_sndbuf_create(struct smc_sock *smc) if (rc) { kfree(sndbuf_desc->cpu_addr); kfree(sndbuf_desc); + sndbuf_desc = NULL; continue; /* if mapping failed, try smaller one */ } sndbuf_desc->used = 1; @@ -596,6 +598,7 @@ int smc_rmb_create(struct smc_sock *smc) __GFP_NORETRY); if (!rmb_desc->cpu_addr) { kfree(rmb_desc); + rmb_desc = NULL; /* if RMB allocation has failed, * try a smaller one */ @@ -607,6 +610,7 @@ int smc_rmb_create(struct smc_sock *smc) if (rc) { kfree(rmb_desc->cpu_addr); kfree(rmb_desc); + rmb_desc = NULL; continue; /* if mapping failed, try smaller one */ } rc = smc_ib_get_memory_region(lgr->lnk[SMC_SINGLE_LINK].roce_pd, @@ -619,6 +623,7 @@ int smc_rmb_create(struct smc_sock *smc) DMA_FROM_DEVICE); kfree(rmb_desc->cpu_addr); kfree(rmb_desc); + rmb_desc = NULL; continue; } rmb_desc->used = 1; |