Received: by 2002:a25:824b:0:0:0:0:0 with SMTP id d11csp1194846ybn; Wed, 2 Oct 2019 12:15:13 -0700 (PDT) X-Google-Smtp-Source: APXvYqyGKr9DdGAgslIeYz+V7bAzO458d0N/h+0YbygbUCSBonW8xdeHjQ+X1SVpz3CUBV8TNPZx X-Received: by 2002:a17:906:4d08:: with SMTP id r8mr4480030eju.283.1570043713247; Wed, 02 Oct 2019 12:15:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1570043713; cv=none; d=google.com; s=arc-20160816; b=Rt+p4dRMeIrQUuMyRqrlyx9wwZW6PO7ZgJX2PRo4IJQknQyaDpS+6uupTJy+r+PFOs /45R6NNs+aWOmSHkwoG4Y7OalN8HvMV6851uGDjHgvRB3W4a3a0zqpBhd9u2nK6Z/Yko +07mm5j5TCRFLirQkASa3edKOFvMzFnSMh0GX2Ma6hZCcnVSbtdEm9ADW+78buKs71hV yacDl19li6ILGWhEb88w1FAD6y8DC8yaUQIFUx6u2CNX1EOKoHDavCfJ+/Bdi/rBZwUB ib1D+NsCV30FAnfhL0EL+zc7wLKhCm4Wdc7Q3OHU+h5WjzgVoFVHEKZ2JfUfzBwimDwJ 8Y5g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition; bh=/wYQE2gF5b9PbZyIV84a/6LPl69U9B5hQg0dCVKOU2Q=; b=Jc1bDlQrMT2ZzQrts+EEaCSoIqiR5ArHhGGC9CWHENu7bS6l6K6LjiukWiwHa17Ip8 Ztt53UqGIQe2VVEwtbbMEUz0UnFUQ1HiQSKyIGMEOhjNz2KmsLrjOJxZkvg60DGT6Ylf jQtER+E/73MrdnWtGE1FU6RH0PeBYNYqKKVMXZdKKzWLpgJBEvJkxkokrJD6aMLXX7u+ 7f4U1Mit5C3ER4ATb5bt8dJF0vfKPsGC8QSfyRWd8GSEsH5z7HjRZhH2718pxT+kXFYJ HQUM1cgf2DR87FPGwctZaFVXgkjSqcpMnPeUW3yNGcI3bauZ++XTp9WCjqq1/yp+oGa5 bMig== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h2si34088edw.29.2019.10.02.12.14.49; Wed, 02 Oct 2019 12:15:13 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729819AbfJBTNV (ORCPT + 99 others); Wed, 2 Oct 2019 15:13:21 -0400 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:35346 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729090AbfJBTIJ (ORCPT ); Wed, 2 Oct 2019 15:08:09 -0400 Received: from [192.168.4.242] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1iFjyo-000367-MG; Wed, 02 Oct 2019 20:08:06 +0100 Received: from ben by deadeye with local (Exim 4.92.1) (envelope-from ) id 1iFjyn-0003ca-Vv; Wed, 02 Oct 2019 20:08:05 +0100 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, Denis Kirjanov , "Pavel Shilovsky" , "Steve French" , "Roberto Bergantinos Corpas" Date: Wed, 02 Oct 2019 20:06:51 +0100 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) X-Patchwork-Hint: ignore Subject: [PATCH 3.16 34/87] CIFS: cifs_read_allocate_pages: don't iterate through whole page array on ENOMEM In-Reply-To: X-SA-Exim-Connect-IP: 192.168.4.242 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.75-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Roberto Bergantinos Corpas commit 31fad7d41e73731f05b8053d17078638cf850fa6 upstream. In cifs_read_allocate_pages, in case of ENOMEM, we go through whole rdata->pages array but we have failed the allocation before nr_pages, therefore we may end up calling put_page with NULL pointer, causing oops Signed-off-by: Roberto Bergantinos Corpas Acked-by: Pavel Shilovsky Signed-off-by: Steve French Signed-off-by: Ben Hutchings --- fs/cifs/file.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/fs/cifs/file.c +++ b/fs/cifs/file.c @@ -2744,7 +2744,9 @@ cifs_read_allocate_pages(struct cifs_rea } if (rc) { - for (i = 0; i < nr_pages; i++) { + unsigned int nr_page_failed = i; + + for (i = 0; i < nr_page_failed; i++) { put_page(rdata->pages[i]); rdata->pages[i] = NULL; }