diff options
author | Anton Blanchard <anton@samba.org> | 2011-02-25 10:33:17 -0500 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2011-02-25 14:12:37 -0500 |
commit | 0a93ea2e897bd793cc0aaaddc397eff32ac8d6fe (patch) | |
tree | 60fd9c282565e803e6d022e7166db34818a33bef | |
parent | f129ccc9231c95513a1227ca9da876beeb03e577 (diff) |
RxRPC: Allocate tokens with kzalloc to avoid oops in rxrpc_destroy
With slab poisoning enabled, I see the following oops:
Unable to handle kernel paging request for data at address 0x6b6b6b6b6b6b6b73
...
NIP [c0000000006bc61c] .rxrpc_destroy+0x44/0x104
LR [c0000000006bc618] .rxrpc_destroy+0x40/0x104
Call Trace:
[c0000000feb2bc00] [c0000000006bc618] .rxrpc_destroy+0x40/0x104 (unreliable)
[c0000000feb2bc90] [c000000000349b2c] .key_cleanup+0x1a8/0x20c
[c0000000feb2bd40] [c0000000000a2920] .process_one_work+0x2f4/0x4d0
[c0000000feb2be00] [c0000000000a2d50] .worker_thread+0x254/0x468
[c0000000feb2bec0] [c0000000000a868c] .kthread+0xbc/0xc8
[c0000000feb2bf90] [c000000000020e00] .kernel_thread+0x54/0x70
We aren't initialising token->next, but the code in destroy_context relies
on the list being NULL terminated. Use kzalloc to zero out all the fields.
Signed-off-by: Anton Blanchard <anton@samba.org>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-rw-r--r-- | net/rxrpc/ar-key.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/net/rxrpc/ar-key.c b/net/rxrpc/ar-key.c index 5ee16f0353fe..d763793d39de 100644 --- a/net/rxrpc/ar-key.c +++ b/net/rxrpc/ar-key.c | |||
@@ -89,11 +89,11 @@ static int rxrpc_instantiate_xdr_rxkad(struct key *key, const __be32 *xdr, | |||
89 | return ret; | 89 | return ret; |
90 | 90 | ||
91 | plen -= sizeof(*token); | 91 | plen -= sizeof(*token); |
92 | token = kmalloc(sizeof(*token), GFP_KERNEL); | 92 | token = kzalloc(sizeof(*token), GFP_KERNEL); |
93 | if (!token) | 93 | if (!token) |
94 | return -ENOMEM; | 94 | return -ENOMEM; |
95 | 95 | ||
96 | token->kad = kmalloc(plen, GFP_KERNEL); | 96 | token->kad = kzalloc(plen, GFP_KERNEL); |
97 | if (!token->kad) { | 97 | if (!token->kad) { |
98 | kfree(token); | 98 | kfree(token); |
99 | return -ENOMEM; | 99 | return -ENOMEM; |
@@ -731,10 +731,10 @@ static int rxrpc_instantiate(struct key *key, const void *data, size_t datalen) | |||
731 | goto error; | 731 | goto error; |
732 | 732 | ||
733 | ret = -ENOMEM; | 733 | ret = -ENOMEM; |
734 | token = kmalloc(sizeof(*token), GFP_KERNEL); | 734 | token = kzalloc(sizeof(*token), GFP_KERNEL); |
735 | if (!token) | 735 | if (!token) |
736 | goto error; | 736 | goto error; |
737 | token->kad = kmalloc(plen, GFP_KERNEL); | 737 | token->kad = kzalloc(plen, GFP_KERNEL); |
738 | if (!token->kad) | 738 | if (!token->kad) |
739 | goto error_free; | 739 | goto error_free; |
740 | 740 | ||