[patch] mtip32xx: calling kfree() on an error pointer

From: Dan Carpenter
Date: Wed Jan 06 2016 - 05:05:40 EST


If memdup_user() fails then we end up passing an ERR_PTR to kfree()
which is a bug.

Fixes: 85b4d87c9962 ('mtip32xx: don't open-code memdup_user()')
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>

diff --git a/drivers/block/mtip32xx/mtip32xx.c b/drivers/block/mtip32xx/mtip32xx.c
index 618c24f..15bec40 100644
--- a/drivers/block/mtip32xx/mtip32xx.c
+++ b/drivers/block/mtip32xx/mtip32xx.c
@@ -2032,6 +2032,7 @@ static int exec_drive_taskfile(struct driver_data *dd,
outbuf = memdup_user(buf + outtotal, taskout);
if (IS_ERR(outbuf)) {
err = PTR_ERR(outbuf);
+ outbuf = NULL;
goto abort;
}
outbuf_dma = pci_map_single(dd->pdev,
@@ -2049,6 +2050,7 @@ static int exec_drive_taskfile(struct driver_data *dd,
inbuf = memdup_user(buf + intotal, taskin);
if (IS_ERR(inbuf)) {
err = PTR_ERR(inbuf);
+ inbuf = NULL;
goto abort;
}
inbuf_dma = pci_map_single(dd->pdev,
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/