From cdaf25dfc058ee6f7a7b2e2353de00fa288c0cd4 Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Mon, 30 Jan 2017 10:55:04 +0100 Subject: [PATCH] smc: some potential use after free bugs Say we got really unlucky and these failed on the last iteration, then it could lead to a use after free bug. Fixes: cd6851f30386 ("smc: remote memory buffers (RMBs)") Signed-off-by: Dan Carpenter Signed-off-by: Ursula Braun Signed-off-by: David S. Miller --- net/smc/smc_core.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/net/smc/smc_core.c b/net/smc/smc_core.c index 8b1d34378829..0eac633fb354 100644 --- a/net/smc/smc_core.c +++ b/net/smc/smc_core.c @@ -532,6 +532,7 @@ int smc_sndbuf_create(struct smc_sock *smc) __GFP_NORETRY); if (!sndbuf_desc->cpu_addr) { kfree(sndbuf_desc); + sndbuf_desc = NULL; /* if send buffer allocation has failed, * try a smaller one */ @@ -543,6 +544,7 @@ int smc_sndbuf_create(struct smc_sock *smc) if (rc) { kfree(sndbuf_desc->cpu_addr); kfree(sndbuf_desc); + sndbuf_desc = NULL; continue; /* if mapping failed, try smaller one */ } sndbuf_desc->used = 1; @@ -596,6 +598,7 @@ int smc_rmb_create(struct smc_sock *smc) __GFP_NORETRY); if (!rmb_desc->cpu_addr) { kfree(rmb_desc); + rmb_desc = NULL; /* if RMB allocation has failed, * try a smaller one */ @@ -607,6 +610,7 @@ int smc_rmb_create(struct smc_sock *smc) if (rc) { kfree(rmb_desc->cpu_addr); kfree(rmb_desc); + rmb_desc = NULL; continue; /* if mapping failed, try smaller one */ } rc = smc_ib_get_memory_region(lgr->lnk[SMC_SINGLE_LINK].roce_pd, @@ -619,6 +623,7 @@ int smc_rmb_create(struct smc_sock *smc) DMA_FROM_DEVICE); kfree(rmb_desc->cpu_addr); kfree(rmb_desc); + rmb_desc = NULL; continue; } rmb_desc->used = 1; -- GitLab