From: Markus Elfring <elfring@xxxxxxxxxxxxxxxxxxxxx> Date: Sat, 18 Feb 2017 21:00:50 +0100 The kfree() function was called in up to five cases by the create_kernel_qp() function during error handling even if the passed data structure member contained a null pointer. * Adjust jump targets according to the Linux coding style convention. * Split a condition check for memory allocation failures so that each pointer from these function calls will be checked immediately. See also background information: Topic "CWE-754: Improper check for unusual or exceptional conditions" Link: https://cwe.mitre.org/data/definitions/754.html Signed-off-by: Markus Elfring <elfring@xxxxxxxxxxxxxxxxxxxxx> --- drivers/infiniband/hw/mlx5/qp.c | 43 ++++++++++++++++++++++++++--------------- 1 file changed, 27 insertions(+), 16 deletions(-) diff --git a/drivers/infiniband/hw/mlx5/qp.c b/drivers/infiniband/hw/mlx5/qp.c index e6e9b468b206..c47afce5fc6a 100644 --- a/drivers/infiniband/hw/mlx5/qp.c +++ b/drivers/infiniband/hw/mlx5/qp.c @@ -930,7 +930,7 @@ static int create_kernel_qp(struct mlx5_ib_dev *dev, *in = mlx5_vzalloc(*inlen); if (!*in) { err = -ENOMEM; - goto err_buf; + goto free_buffer; } qpc = MLX5_ADDR_OF(create_qp_in, *in, qpc); @@ -952,45 +952,56 @@ static int create_kernel_qp(struct mlx5_ib_dev *dev, err = mlx5_db_alloc(dev->mdev, &qp->db); if (err) { mlx5_ib_dbg(dev, "err %d\n", err); - goto err_free; + goto vfree_in; } qp->sq.wrid = kmalloc_array(qp->sq.wqe_cnt, sizeof(*qp->sq.wrid), GFP_KERNEL); + if (!qp->sq.wrid) + goto free_db; + qp->sq.wr_data = kmalloc_array(qp->sq.wqe_cnt, sizeof(*qp->sq.wr_data), GFP_KERNEL); + if (!qp->sq.wr_data) + goto free_sq_wrid; + qp->rq.wrid = kmalloc_array(qp->rq.wqe_cnt, sizeof(*qp->rq.wrid), GFP_KERNEL); + if (!qp->rq.wrid) + goto free_sq_wr_data; + qp->sq.w_list = kmalloc_array(qp->sq.wqe_cnt, sizeof(*qp->sq.w_list), GFP_KERNEL); + if (!qp->sq.w_list) + goto free_rq_wrid; + qp->sq.wqe_head = kmalloc_array(qp->sq.wqe_cnt, sizeof(*qp->sq.wqe_head), GFP_KERNEL); - if (!qp->sq.wrid || !qp->sq.wr_data || !qp->rq.wrid || - !qp->sq.w_list || !qp->sq.wqe_head) { - err = -ENOMEM; - goto err_wrid; - } + if (!qp->sq.wqe_head) + goto free_sq_w_list; + qp->create_type = MLX5_QP_KERNEL; return 0; - -err_wrid: - kfree(qp->sq.wqe_head); +free_sq_w_list: kfree(qp->sq.w_list); - kfree(qp->sq.wrid); - kfree(qp->sq.wr_data); +free_rq_wrid: kfree(qp->rq.wrid); +free_sq_wr_data: + kfree(qp->sq.wr_data); +free_sq_wrid: + kfree(qp->sq.wrid); +free_db: mlx5_db_free(dev->mdev, &qp->db); - -err_free: + err = -ENOMEM; +vfree_in: kvfree(*in); - -err_buf: +free_buffer: mlx5_buf_free(dev->mdev, &qp->buf); return err; } -- 2.11.1 -- To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html