Commit b6272007 authored by Sagi Grimberg's avatar Sagi Grimberg
Browse files

nvmet-tcp: fix possible NULL deref 



We must only call sgl_free for sgl that we actually
allocated.

Signed-off-by: default avatarSagi Grimberg <sagi@grimberg.me>
parent 42df26d4

drivers/nvme/target/tcp.c

+8 −4
Original line number Diff line number Diff line
@@ -348,6 +348,7 @@ static int nvmet_tcp_map_data(struct nvmet_tcp_cmd *cmd) 


	return 0;

err:

	if (cmd->req.sg_cnt)

		sgl_free(cmd->req.sg);

	return NVME_SC_INTERNAL;

}
@@ -553,6 +554,7 @@ static int nvmet_try_send_data(struct nvmet_tcp_cmd *cmd) 


	if (queue->nvme_sq.sqhd_disabled) {

		kfree(cmd->iov);

		if (cmd->req.sg_cnt)

			sgl_free(cmd->req.sg);

	}
@@ -584,6 +586,7 @@ static int nvmet_try_send_response(struct nvmet_tcp_cmd *cmd, 
		return -EAGAIN;



	kfree(cmd->iov);

	if (cmd->req.sg_cnt)

		sgl_free(cmd->req.sg);

	cmd->queue->snd_cmd = NULL;

	nvmet_tcp_put_cmd(cmd);
@@ -1306,6 +1309,7 @@ static void nvmet_tcp_finish_cmd(struct nvmet_tcp_cmd *cmd) 
{

	nvmet_req_uninit(&cmd->req);

	nvmet_tcp_unmap_pdu_iovec(cmd);

	if (cmd->req.sg_cnt)

		sgl_free(cmd->req.sg);

}

CRA Git | Maintained and supported by SUSTech CRA and CCSE