Hi Chris,
On Tue, 2012-12-11 at 21:58 +0000, Chris Boot wrote:
> If the TPG memory is allocated successfully, but we fail further along
> in the function, a dangling pointer to freed memory is left in the TPort
> structure. This is mostly harmless, but does prevent re-trying the
> operation without first removing the TPort altogether.
>
> Reported-by: Chen Gang <gang.chen@xxxxxxxxxxx>
> Signed-off-by: Chris Boot <bootc@xxxxxxxxx>
> Cc: Andy Grover <agrover@xxxxxxxxxx>
> Cc: Nicholas A. Bellinger <nab@xxxxxxxxxxxxxxx>
> ---
Looks fine to me. Applying to for-next w/ a CC' to stable.
Thanks Chris & Chen!
--nab
> drivers/target/sbp/sbp_target.c | 17 ++++++++++-------
> 1 file changed, 10 insertions(+), 7 deletions(-)
>
> diff --git a/drivers/target/sbp/sbp_target.c b/drivers/target/sbp/sbp_target.c
> index f0a2a1d..2e8d06f 100644
> --- a/drivers/target/sbp/sbp_target.c
> +++ b/drivers/target/sbp/sbp_target.c
> @@ -2208,20 +2208,23 @@ static struct se_portal_group *sbp_make_tpg(
> tport->mgt_agt = sbp_management_agent_register(tport);
> if (IS_ERR(tport->mgt_agt)) {
> ret = PTR_ERR(tport->mgt_agt);
> - kfree(tpg);
> - return ERR_PTR(ret);
> + goto out_free_tpg;
> }
>
> ret = core_tpg_register(&sbp_fabric_configfs->tf_ops, wwn,
> &tpg->se_tpg, (void *)tpg,
> TRANSPORT_TPG_TYPE_NORMAL);
> - if (ret < 0) {
> - sbp_management_agent_unregister(tport->mgt_agt);
> - kfree(tpg);
> - return ERR_PTR(ret);
> - }
> + if (ret < 0)
> + goto out_unreg_mgt_agt;
>
> return &tpg->se_tpg;
> +
> +out_unreg_mgt_agt:
> + sbp_management_agent_unregister(tport->mgt_agt);
> +out_free_tpg:
> + tport->tpg = NULL;
> + kfree(tpg);
> + return ERR_PTR(ret);
> }
>
> static void sbp_drop_tpg(struct se_portal_group *se_tpg)
--
To unsubscribe from this list: send the line "unsubscribe target-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
