From: Dan Carpenter Date: Mon, 30 Jan 2017 09:55:04 +0000 (+0100) Subject: smc: some potential use after free bugs X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=cdaf25dfc058ee6f7a7b2e2353de00fa288c0cd4;p=GitHub%2Fmoto-9609%2Fandroid_kernel_motorola_exynos9610.git smc: some potential use after free bugs Say we got really unlucky and these failed on the last iteration, then it could lead to a use after free bug. Fixes: cd6851f30386 ("smc: remote memory buffers (RMBs)") Signed-off-by: Dan Carpenter Signed-off-by: Ursula Braun Signed-off-by: David S. Miller --- diff --git a/net/smc/smc_core.c b/net/smc/smc_core.c index 8b1d34378829..0eac633fb354 100644 --- a/net/smc/smc_core.c +++ b/net/smc/smc_core.c @@ -532,6 +532,7 @@ int smc_sndbuf_create(struct smc_sock *smc) __GFP_NORETRY); if (!sndbuf_desc->cpu_addr) { kfree(sndbuf_desc); + sndbuf_desc = NULL; /* if send buffer allocation has failed, * try a smaller one */ @@ -543,6 +544,7 @@ int smc_sndbuf_create(struct smc_sock *smc) if (rc) { kfree(sndbuf_desc->cpu_addr); kfree(sndbuf_desc); + sndbuf_desc = NULL; continue; /* if mapping failed, try smaller one */ } sndbuf_desc->used = 1; @@ -596,6 +598,7 @@ int smc_rmb_create(struct smc_sock *smc) __GFP_NORETRY); if (!rmb_desc->cpu_addr) { kfree(rmb_desc); + rmb_desc = NULL; /* if RMB allocation has failed, * try a smaller one */ @@ -607,6 +610,7 @@ int smc_rmb_create(struct smc_sock *smc) if (rc) { kfree(rmb_desc->cpu_addr); kfree(rmb_desc); + rmb_desc = NULL; continue; /* if mapping failed, try smaller one */ } rc = smc_ib_get_memory_region(lgr->lnk[SMC_SINGLE_LINK].roce_pd, @@ -619,6 +623,7 @@ int smc_rmb_create(struct smc_sock *smc) DMA_FROM_DEVICE); kfree(rmb_desc->cpu_addr); kfree(rmb_desc); + rmb_desc = NULL; continue; } rmb_desc->used = 1;