adapter->kioc_list is allocated using kmalloc_array() so its values are left uninitialized. In a rare OOM case when dma_pool_alloc() fails in mraid_mm_register_adp(), we should free the already allocated DMA pools but comparing kioc->pthru32 with NULL doesn't guard from accessing uninit memory. Properly roll back in error case: free array members with lower indices. Found by Linux Verification Center (linuxtesting.org). Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Fedor Pchelkin <pchelkin@xxxxxxxxx> --- drivers/scsi/megaraid/megaraid_mm.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/drivers/scsi/megaraid/megaraid_mm.c b/drivers/scsi/megaraid/megaraid_mm.c index c509440bd161..701eb5ee2a69 100644 --- a/drivers/scsi/megaraid/megaraid_mm.c +++ b/drivers/scsi/megaraid/megaraid_mm.c @@ -1001,12 +1001,10 @@ mraid_mm_register_adp(mraid_mmadp_t *lld_adp) pthru_dma_pool_error: - for (i = 0; i < lld_adp->max_kioc; i++) { + while (--i >= 0) { kioc = adapter->kioc_list + i; - if (kioc->pthru32) { - dma_pool_free(adapter->pthru_dma_pool, kioc->pthru32, - kioc->pthru32_h); - } + dma_pool_free(adapter->pthru_dma_pool, kioc->pthru32, + kioc->pthru32_h); } memalloc_error: -- 2.43.0