The patch titled
Subject: rapidio: dereferencing an error pointer
has been added to the -mm tree. Its filename is
rapidio-dereferencing-an-error-pointer.patch
This patch should soon appear at
http://ozlabs.org/~akpm/mmots/broken-out/rapidio-dereferencing-an-error-pointer.patch
and later at
http://ozlabs.org/~akpm/mmotm/broken-out/rapidio-dereferencing-an-error-pointer.patch
Before you just go and hit "reply", please:
a) Consider who else should be cc'ed
b) Prefer to cc a suitable mailing list as well
c) Ideally: find the original patch on the mailing list and do a
reply-to-all to that, adding suitable additional cc's
*** Remember to use Documentation/SubmitChecklist when testing your code ***
The -mm tree is included into linux-next and is updated
there every 3-4 working days
------------------------------------------------------
From: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Subject: rapidio: dereferencing an error pointer
Original patch: https://lkml.org/lkml/2016/8/4/32
If riocm_ch_alloc() fails then we end up dereferencing the error pointer.
The problem is that we're not unwinding in the reverse order from how we
allocate things so it gets confusing. I've changed this around so now
"ch" is NULL when we are done with it after we call riocm_put_channel().
That way we can check if it's NULL and avoid calling riocm_put_channel()
on it twice.
I renamed err_nodev to err_put_new_ch so that it better reflects what the
goto does.
Then because we had flipping things around, it means we don't neeed to
initialize the pointers to NULL and we can remove an if statement and pull
things in an indent level.
Link: http://lkml.kernel.org/r/20160805152406.20713-1-alexandre.bounine@xxxxxxx
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Signed-off-by: Alexandre Bounine <alexandre.bounine@xxxxxxx>
Cc: Matt Porter <mporter@xxxxxxxxxxxxxxxxxxx>
Cc: Andre van Herk <andre.van.herk@xxxxxxxxxxxxxxxxxxxxxxxxx>
Cc: Barry Wood <barry.wood@xxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---
drivers/rapidio/rio_cm.c | 24 +++++++++++++-----------
1 file changed, 13 insertions(+), 11 deletions(-)
diff -puN drivers/rapidio/rio_cm.c~rapidio-dereferencing-an-error-pointer drivers/rapidio/rio_cm.c
--- a/drivers/rapidio/rio_cm.c~rapidio-dereferencing-an-error-pointer
+++ a/drivers/rapidio/rio_cm.c
@@ -1080,8 +1080,8 @@ static int riocm_send_ack(struct rio_cha
static struct rio_channel *riocm_ch_accept(u16 ch_id, u16 *new_ch_id,
long timeout)
{
- struct rio_channel *ch = NULL;
- struct rio_channel *new_ch = NULL;
+ struct rio_channel *ch;
+ struct rio_channel *new_ch;
struct conn_req *req;
struct cm_peer *peer;
int found = 0;
@@ -1155,6 +1155,7 @@ static struct rio_channel *riocm_ch_acce
spin_unlock_bh(&ch->lock);
riocm_put_channel(ch);
+ ch = NULL;
kfree(req);
down_read(&rdev_sem);
@@ -1172,7 +1173,7 @@ static struct rio_channel *riocm_ch_acce
if (!found) {
/* If peer device object not found, simply ignore the request */
err = -ENODEV;
- goto err_nodev;
+ goto err_put_new_ch;
}
new_ch->rdev = peer->rdev;
@@ -1184,15 +1185,16 @@ static struct rio_channel *riocm_ch_acce
*new_ch_id = new_ch->id;
return new_ch;
+
+err_put_new_ch:
+ spin_lock_bh(&idr_lock);
+ idr_remove(&ch_idr, new_ch->id);
+ spin_unlock_bh(&idr_lock);
+ riocm_put_channel(new_ch);
+
err_put:
- riocm_put_channel(ch);
-err_nodev:
- if (new_ch) {
- spin_lock_bh(&idr_lock);
- idr_remove(&ch_idr, new_ch->id);
- spin_unlock_bh(&idr_lock);
- riocm_put_channel(new_ch);
- }
+ if (ch)
+ riocm_put_channel(ch);
*new_ch_id = 0;
return ERR_PTR(err);
}
_
Patches currently in -mm which might be from dan.carpenter@xxxxxxxxxx are
powerpc-fsl_rio-fix-a-missing-error-code.patch
rapidio-dereferencing-an-error-pointer.patch
--
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
