[patch] mtip32xx: calling kfree() on an error pointer

From: Dan Carpenter
Date: Wed Jan 06 2016 - 05:05:40 EST

Next message: Thomas Gleixner: "Re: [PATCH] dmaengine: xgene-dma: Fix double IRQ issue by setting IRQ_DISABLE_UNLAZY flag"
Previous message: Mateusz Guzik: "Re: [PATCH 1/2] prctl: take mmap sem for writing to protect against others"
Next in thread: Al Viro: "Re: [patch] mtip32xx: calling kfree() on an error pointer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

If memdup_user() fails then we end up passing an ERR_PTR to kfree()
which is a bug.

Fixes: 85b4d87c9962 ('mtip32xx: don't open-code memdup_user()')
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>

diff --git a/drivers/block/mtip32xx/mtip32xx.c b/drivers/block/mtip32xx/mtip32xx.c
index 618c24f..15bec40 100644
--- a/drivers/block/mtip32xx/mtip32xx.c
+++ b/drivers/block/mtip32xx/mtip32xx.c
@@ -2032,6 +2032,7 @@ static int exec_drive_taskfile(struct driver_data *dd,
outbuf = memdup_user(buf + outtotal, taskout);
if (IS_ERR(outbuf)) {
err = PTR_ERR(outbuf);
+ outbuf = NULL;
goto abort;
}
outbuf_dma = pci_map_single(dd->pdev,
@@ -2049,6 +2050,7 @@ static int exec_drive_taskfile(struct driver_data *dd,
inbuf = memdup_user(buf + intotal, taskin);
if (IS_ERR(inbuf)) {
err = PTR_ERR(inbuf);
+ inbuf = NULL;
goto abort;
}
inbuf_dma = pci_map_single(dd->pdev,
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Thomas Gleixner: "Re: [PATCH] dmaengine: xgene-dma: Fix double IRQ issue by setting IRQ_DISABLE_UNLAZY flag"
Previous message: Mateusz Guzik: "Re: [PATCH 1/2] prctl: take mmap sem for writing to protect against others"
Next in thread: Al Viro: "Re: [patch] mtip32xx: calling kfree() on an error pointer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]