From patchwork Mon Jan 7 20:38:48 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: [3.5.y.z, extended, stable] Patch "sbp-target: fix error path in sbp_make_tpg()" has been added to staging queue From: Herton Ronaldo Krzesinski X-Patchwork-Id: 210222 Message-Id: <1357591128-22475-1-git-send-email-herton.krzesinski@canonical.com> To: Chris Boot Cc: Chen Gang , Andy Grover , kernel-team@lists.ubuntu.com, "Nicholas A. Bellinger" Date: Mon, 7 Jan 2013 18:38:48 -0200 This is a note to let you know that I have just added a patch titled sbp-target: fix error path in sbp_make_tpg() to the linux-3.5.y-queue branch of the 3.5.y.z extended stable tree which can be found at: http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.5.y-queue If you, or anyone else, feels it should not be added to this tree, please reply to this email. For more information about the 3.5.y.z tree, see https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable Thanks. -Herton ------ >From b1e801616c6542e0393b72599048b8789f3bb96a Mon Sep 17 00:00:00 2001 From: Chris Boot Date: Tue, 11 Dec 2012 21:58:48 +0000 Subject: [PATCH] sbp-target: fix error path in sbp_make_tpg() commit e1fe2060d7e8f58a69374135e32e90f0bb79a7fd upstream. If the TPG memory is allocated successfully, but we fail further along in the function, a dangling pointer to freed memory is left in the TPort structure. This is mostly harmless, but does prevent re-trying the operation without first removing the TPort altogether. Reported-by: Chen Gang Signed-off-by: Chris Boot Cc: Andy Grover Cc: Nicholas A. Bellinger Signed-off-by: Nicholas Bellinger Signed-off-by: Herton Ronaldo Krzesinski --- drivers/target/sbp/sbp_target.c | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) -- 1.7.9.5 diff --git a/drivers/target/sbp/sbp_target.c b/drivers/target/sbp/sbp_target.c index 7e6136e..e935aaa 100644 --- a/drivers/target/sbp/sbp_target.c +++ b/drivers/target/sbp/sbp_target.c @@ -2221,20 +2221,23 @@ static struct se_portal_group *sbp_make_tpg( tport->mgt_agt = sbp_management_agent_register(tport); if (IS_ERR(tport->mgt_agt)) { ret = PTR_ERR(tport->mgt_agt); - kfree(tpg); - return ERR_PTR(ret); + goto out_free_tpg; } ret = core_tpg_register(&sbp_fabric_configfs->tf_ops, wwn, &tpg->se_tpg, (void *)tpg, TRANSPORT_TPG_TYPE_NORMAL); - if (ret < 0) { - sbp_management_agent_unregister(tport->mgt_agt); - kfree(tpg); - return ERR_PTR(ret); - } + if (ret < 0) + goto out_unreg_mgt_agt; return &tpg->se_tpg; + +out_unreg_mgt_agt: + sbp_management_agent_unregister(tport->mgt_agt); +out_free_tpg: + tport->tpg = NULL; + kfree(tpg); + return ERR_PTR(ret); } static void sbp_drop_tpg(struct se_portal_group *se_tpg)