Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754136AbcCBKJ7 (ORCPT ); Wed, 2 Mar 2016 05:09:59 -0500 Received: from aserp1040.oracle.com ([141.146.126.69]:19057 "EHLO aserp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751205AbcCBKJ5 (ORCPT ); Wed, 2 Mar 2016 05:09:57 -0500 Date: Wed, 2 Mar 2016 13:09:41 +0300 From: Dan Carpenter To: "Nicholas A. Bellinger" , Christoph Hellwig Cc: Hannes Reinecke , Bart Van Assche , Sheng Yang , linux-scsi@vger.kernel.org, target-devel@vger.kernel.org, linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: [patch] tcm_loop: use after free on error Message-ID: <20160302100941.GE5533@mwanda> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.24 (2015-08-30) X-Source-IP: userv0022.oracle.com [156.151.31.74] Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 933 Lines: 28 We dereference "tl_nexus" to get the error code. Fixes: 1b418a8fcbc0 ('target: Convert demo-mode only drivers to target_alloc_session') Signed-off-by: Dan Carpenter diff --git a/drivers/target/loopback/tcm_loop.c b/drivers/target/loopback/tcm_loop.c index 0216c75..e0ffb03 100644 --- a/drivers/target/loopback/tcm_loop.c +++ b/drivers/target/loopback/tcm_loop.c @@ -808,6 +808,7 @@ static int tcm_loop_make_nexus( { struct tcm_loop_hba *tl_hba = tl_tpg->tl_hba; struct tcm_loop_nexus *tl_nexus; + int ret; if (tl_tpg->tl_nexus) { pr_debug("tl_tpg->tl_nexus already exists\n"); @@ -824,8 +825,9 @@ static int tcm_loop_make_nexus( TARGET_PROT_DIN_PASS | TARGET_PROT_DOUT_PASS, name, tl_nexus, NULL); if (IS_ERR(tl_nexus->se_sess)) { + ret = PTR_ERR(tl_nexus->se_sess); kfree(tl_nexus); - return PTR_ERR(tl_nexus->se_sess); + return ret; } tl_tpg->tl_nexus = tl_nexus;