I hitted few items from Dawson Engler's list of potential kmalloc/kfree
bugs...
--
Bartlomiej Zolnierkiewicz
<[EMAIL PROTECTED]>
--- linux-240t10/drivers/ide/ide-probe.c Tue Oct 3 00:16:51 2000
+++ linux/drivers/ide/ide-probe.c Tue Nov 7 00:25:35 2000
@@ -652,6 +653,10 @@
hwgroup = match->hwgroup;
} else {
hwgroup = kmalloc(sizeof(ide_hwgroup_t), GFP_KERNEL);
+ if(!hwgroup) {
+ restore_flags(flags);
+ return 1;
+ }
memset(hwgroup, 0, sizeof(ide_hwgroup_t));
hwgroup->hwif = hwif->next = hwif;
hwgroup->rq = NULL;
@@ -746,11 +751,23 @@
}
minors = units * (1<<PARTN_BITS);
gd = kmalloc (sizeof(struct gendisk), GFP_KERNEL);
+ if(!gd)
+ goto cleanup_gd;
gd->sizes = kmalloc (minors * sizeof(int), GFP_KERNEL);
+ if(!gd->sizes)
+ goto cleanup_gd_sizes;
gd->part = kmalloc (minors * sizeof(struct hd_struct), GFP_KERNEL);
+ if(!gd->part)
+ goto cleanup_gd_part;
bs = kmalloc (minors*sizeof(int), GFP_KERNEL);
+ if(!bs)
+ goto cleanup_bs;
max_sect = kmalloc (minors*sizeof(int), GFP_KERNEL);
+ if(!max_sect)
+ goto cleanup_max_sect;
max_ra = kmalloc (minors*sizeof(int), GFP_KERNEL);
+ if(!max_ra)
+ goto cleanup_max_ra;
memset(gd->part, 0, minors * sizeof(struct hd_struct));
@@ -779,12 +796,16 @@
gd->real_devices= hwif; /* ptr to internal data */
gd->next = NULL; /* linked list of major devs */
gd->fops = ide_fops; /* file operations */
- gd->de_arr = kmalloc (sizeof *gd->de_arr * units, GFP_KERNEL);
- gd->flags = kmalloc (sizeof *gd->flags * units, GFP_KERNEL);
- if (gd->de_arr)
- memset (gd->de_arr, 0, sizeof *gd->de_arr * units);
- if (gd->flags)
- memset (gd->flags, 0, sizeof *gd->flags * units);
+ if(units) {
+ gd->de_arr = kmalloc (sizeof *gd->de_arr * units, GFP_KERNEL);
+ if(!gd->de_arr)
+ goto cleanup_gd_de_arr;
+ gd->flags = kmalloc (sizeof *gd->flags * units, GFP_KERNEL);
+ if(!gd->flags)
+ goto cleanup_gd_flags;
+ memset(gd->de_arr, 0, sizeof *gd->de_arr * units);
+ memset(gd->flags, 0, sizeof *gd->flags * units);
+ }
for (gdp = &gendisk_head; *gdp; gdp = &((*gdp)->next)) ;
hwif->gd = *gdp = gd; /* link onto tail of list */
@@ -802,6 +823,26 @@
devfs_mk_dir (ide_devfs_handle, name, NULL);
}
}
+ return;
+
+cleanup_gd_flags:
+ kfree(gd->flags);
+cleanup_gd_de_arr:
+ kfree(gd->de_arr);
+cleanup_max_ra:
+ kfree(max_ra);
+cleanup_max_sect:
+ kfree(max_sect);
+cleanup_bs:
+ kfree(bs);
+cleanup_gd_part:
+ kfree(gd->part);
+cleanup_gd_sizes:
+ kfree(gd->sizes);
+cleanup_gd:
+ kfree(gd);
+
+ printk(KERN_ERR "ide-probe: not enough memory for init_gendisk()\n");
}
static int hwif_init (ide_hwif_t *hwif)
--- linux-240t10/drivers/i2o/i2o_config.c Tue Oct 3 00:15:34 2000
+++ linux/drivers/i2o/i2o_config.c Mon Nov 6 22:41:41 2000
@@ -499,6 +499,8 @@
if(!res)
{
i2o_unlock_controller(c);
+ printk(KERN_INFO "i2o_config: could not get res\n");
+ if(kcmd.qlen) kfree(query);
return -ENOMEM;
}
--- linux-240t10/drivers/i2o/i2o_core.c Thu Oct 19 22:05:01 2000
+++ linux/drivers/i2o/i2o_core.c Mon Nov 6 22:49:55 2000
@@ -1664,6 +1664,7 @@
{
printk(KERN_ERR "%s: Timeout waiting for IOP
reset.\n",
c->name);
+ kfree(status);
return -ETIMEDOUT;
}
schedule();
--- linux-240t10/drivers/scsi/eata_dma.c Tue Oct 3 14:27:44 2000
+++ linux/drivers/scsi/eata_dma.c Mon Nov 6 23:21:04 2000
@@ -909,8 +909,17 @@
cp = (struct eata_ccb *) kmalloc(sizeof(struct eata_ccb),
GFP_ATOMIC | GFP_DMA);
+ if(!cp) {
+ printk(KERN_ERR "eata_dma: out of DMA memory\n");
+ return NULL;
+ }
sp = (struct eata_sp *) kmalloc(sizeof(struct eata_sp),
GFP_ATOMIC | GFP_DMA);
+ if(!sp) {
+ printk(KERN_ERR "eata_dma: out of DMA memory\n");
+ kfree(cp);
+ return NULL;
+ }
buff = dma_scratch;
@@ -1459,11 +1468,15 @@
tpnt->proc_name = "eata_dma";
status = kmalloc(512, GFP_ATOMIC | GFP_DMA);
+ if(!status) {
+ printk(KERN_ERR "eata_dma: not enough DMA memory to probe for hosts!\n");
+ return 0;
+ }
dma_scratch = kmalloc(1024, GFP_ATOMIC | GFP_DMA);
-
- if(status == NULL || dma_scratch == NULL) {
- printk("eata_dma: can't allocate enough memory to probe for hosts !\n");
- return(0);
+ if(!dma_scratch) {
+ printk(KERN_ERR "eata_dma: not enough DMA memory to probe for hosts!\n");
+ kfree(status);
+ return 0;
}
dma_scratch += 4;
--- linux-240t10/drivers/scsi/hosts.c Tue Oct 31 11:20:15 2000
+++ linux/driver/scsi/hosts.c Mon Nov 6 23:40:45 2000
@@ -168,7 +168,18 @@
retval->loaded_as_module = 1;
if (flag_new) {
shn = (Scsi_Host_Name *) kmalloc(sizeof(Scsi_Host_Name), GFP_ATOMIC);
+ if(!shn) {
+ printk(KERN_ERR "scsi: out of memory in scsi_register\n");
+ kfree(retval);
+ return NULL;
+ }
shn->name = kmalloc(hname_len + 1, GFP_ATOMIC);
+ if(!shn->name) {
+ printk(KERN_ERR "scsi: out of memory in scsi_register\n");
+ kfree(shn);
+ kfree(retval);
+ return NULL;
+ }
if (hname_len > 0)
strncpy(shn->name, hname, hname_len);
shn->name[hname_len] = 0;
--- linux-240t10/drivers/scsi/ips.c Tue Oct 3 14:27:45 2000
+++ linux/drivers/scsi/ips.c Mon Nov 6 23:48:22 2000
@@ -4552,6 +4552,8 @@
/* Allocate memory for the CCBs */
ha->scbs = (ips_scb_t *) kmalloc(ha->max_cmds * sizeof(ips_scb_t),
GFP_ATOMIC|GFP_DMA);
+ if(!ha->scbs)
+ return 0;
memset(ha->scbs, 0, ha->max_cmds * sizeof(ips_scb_t));
