sbp-target: fix error path in sbp_make_tpg()
authorChris Boot <bootc@bootc.net>
Tue, 11 Dec 2012 21:58:48 +0000 (21:58 +0000)
committerNicholas Bellinger <nab@linux-iscsi.org>
Thu, 13 Dec 2012 05:17:25 +0000 (21:17 -0800)
If the TPG memory is allocated successfully, but we fail further along
in the function, a dangling pointer to freed memory is left in the TPort
structure. This is mostly harmless, but does prevent re-trying the
operation without first removing the TPort altogether.

Reported-by: Chen Gang <gang.chen@asianux.com>
Signed-off-by: Chris Boot <bootc@bootc.net>
Cc: Andy Grover <agrover@redhat.com>
Cc: Nicholas A. Bellinger <nab@linux-iscsi.org>
Cc: stable@vger.kernel.org
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
drivers/target/sbp/sbp_target.c

index f0a2a1d..2e8d06f 100644 (file)
@@ -2208,20 +2208,23 @@ static struct se_portal_group *sbp_make_tpg(
        tport->mgt_agt = sbp_management_agent_register(tport);
        if (IS_ERR(tport->mgt_agt)) {
                ret = PTR_ERR(tport->mgt_agt);
-               kfree(tpg);
-               return ERR_PTR(ret);
+               goto out_free_tpg;
        }
 
        ret = core_tpg_register(&sbp_fabric_configfs->tf_ops, wwn,
                        &tpg->se_tpg, (void *)tpg,
                        TRANSPORT_TPG_TYPE_NORMAL);
-       if (ret < 0) {
-               sbp_management_agent_unregister(tport->mgt_agt);
-               kfree(tpg);
-               return ERR_PTR(ret);
-       }
+       if (ret < 0)
+               goto out_unreg_mgt_agt;
 
        return &tpg->se_tpg;
+
+out_unreg_mgt_agt:
+       sbp_management_agent_unregister(tport->mgt_agt);
+out_free_tpg:
+       tport->tpg = NULL;
+       kfree(tpg);
+       return ERR_PTR(ret);
 }
 
 static void sbp_drop_tpg(struct se_portal_group *se_tpg)