RxRPC: Allocate tokens with kzalloc to avoid oops in rxrpc_destroy

With slab poisoning enabled, I see the following oops: Unable to handle kernel paging request for data at address 0x6b6b6b6b6b6b6b73 ... NIP [c0000000006bc61c] .rxrpc_destroy+0x44/0x104 LR [c0000000006bc618] .rxrpc_destroy+0x40/0x104 Call Trace: [c0000000feb2bc00] [c0000000006bc618] .rxrpc_destroy+0x40/0x104 (unreliable) [c0000000feb2bc90] [c000000000349b2c] .key_cleanup+0x1a8/0x20c [c0000000feb2bd40] [c0000000000a2920] .process_one_work+0x2f4/0x4d0 [c0000000feb2be00] [c0000000000a2d50] .worker_thread+0x254/0x468 [c0000000feb2bec0] [c0000000000a868c] .kthread+0xbc/0xc8 [c0000000feb2bf90] [c000000000020e00] .kernel_thread+0x54/0x70 We aren't initialising token->next, but the code in destroy_context relies on the list being NULL terminated. Use kzalloc to zero out all the fields. Signed-off-by: Anton Blanchard <anton@samba.org> Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

RxRPC: Allocate tokens with kzalloc to avoid oops in rxrpc_destroy
With slab poisoning enabled, I see the following oops: Unable to handle kernel paging request for data at address 0x6b6b6b6b6b6b6b73 ... NIP [c0000000006bc61c] .rxrpc_destroy+0x44/0x104 LR [c0000000006bc618] .rxrpc_destroy+0x40/0x104 Call Trace: [c0000000feb2bc00] [c0000000006bc618] .rxrpc_destroy+0x40/0x104 (unreliable) [c0000000feb2bc90] [c000000000349b2c] .key_cleanup+0x1a8/0x20c [c0000000feb2bd40] [c0000000000a2920] .process_one_work+0x2f4/0x4d0 [c0000000feb2be00] [c0000000000a2d50] .worker_thread+0x254/0x468 [c0000000feb2bec0] [c0000000000a868c] .kthread+0xbc/0xc8 [c0000000feb2bf90] [c000000000020e00] .kernel_thread+0x54/0x70 We aren't initialising token->next, but the code in destroy_context relies on the list being NULL terminated. Use kzalloc to zero out all the fields. Signed-off-by: Anton Blanchard <anton@samba.org> Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Anton Blanchard · Linus Torvalds
1 parent f129ccc923
Showing 1 changed file with 4 additions and 4 deletions Side-by-side Diff
net/rxrpc/ar-key.c
@@ -89,11 +89,11 @@
 		return ret;
  
 	plen -= sizeof(*token);
-	token = kmalloc(sizeof(*token), GFP_KERNEL);
+	token = kzalloc(sizeof(*token), GFP_KERNEL);
 	if (!token)
 		return -ENOMEM;
  
-	token->kad = kmalloc(plen, GFP_KERNEL);
+	token->kad = kzalloc(plen, GFP_KERNEL);
 	if (!token->kad) {
 		kfree(token);
 		return -ENOMEM;
  
@@ -731,10 +731,10 @@
 		goto error;
  
 	ret = -ENOMEM;
-	token = kmalloc(sizeof(*token), GFP_KERNEL);
+	token = kzalloc(sizeof(*token), GFP_KERNEL);
 	if (!token)
 		goto error;
-	token->kad = kmalloc(plen, GFP_KERNEL);
+	token->kad = kzalloc(plen, GFP_KERNEL);
 	if (!token->kad)
 		goto error_free;
...	...	@@ -89,11 +89,11 @@
89	89	return ret;
90	90
91	91	plen -= sizeof(*token);
92		- token = kmalloc(sizeof(*token), GFP_KERNEL);
	92	+ token = kzalloc(sizeof(*token), GFP_KERNEL);
93	93	if (!token)
94	94	return -ENOMEM;
95	95
96		- token->kad = kmalloc(plen, GFP_KERNEL);
	96	+ token->kad = kzalloc(plen, GFP_KERNEL);
97	97	if (!token->kad) {
98	98	kfree(token);
99	99	return -ENOMEM;
100	100
...	...	@@ -731,10 +731,10 @@
731	731	goto error;
732	732
733	733	ret = -ENOMEM;
734		- token = kmalloc(sizeof(*token), GFP_KERNEL);
	734	+ token = kzalloc(sizeof(*token), GFP_KERNEL);
735	735	if (!token)
736	736	goto error;
737		- token->kad = kmalloc(plen, GFP_KERNEL);
	737	+ token->kad = kzalloc(plen, GFP_KERNEL);
738	738	if (!token->kad)
739	739	goto error_free;
740	740