From: Ursula Braun Date: Thu, 17 Sep 2020 20:46:02 +0000 (+0200) Subject: net/smc: fix double kfree in smc_listen_work() X-Git-Tag: nvme-5.10-2020-10-29~116^2~232 X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=ac679364b98edb4ba46a482c7ab52e2ccb82b8de;p=nvme.git net/smc: fix double kfree in smc_listen_work() If smc_listen_rmda_finish() returns with an error, the storage addressed by 'buf' is freed a second time. Consolidate freeing under a common label and jump to that label. Fixes: 6bb14e48ee8d ("net/smc: dynamic allocation of CLC proposal buffer") Reported-by: Dan Carpenter Signed-off-by: Ursula Braun Signed-off-by: Karsten Graul Signed-off-by: David S. Miller --- diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c index f5bececfedaa..ed8f97166be9 100644 --- a/net/smc/af_smc.c +++ b/net/smc/af_smc.c @@ -1371,7 +1371,6 @@ static void smc_listen_work(struct work_struct *work) } /* finish worker */ - kfree(buf); if (!ism_supported) { rc = smc_listen_rdma_finish(new_smc, &cclc, ini.first_contact_local); @@ -1381,12 +1380,13 @@ static void smc_listen_work(struct work_struct *work) } smc_conn_save_peer_info(new_smc, &cclc); smc_listen_out_connected(new_smc); - return; + goto out_free; out_unlock: mutex_unlock(&smc_server_lgr_pending); out_decl: smc_listen_decline(new_smc, rc, ini.first_contact_local); +out_free: kfree(buf); }