Similar to commit b2d3492fc591 ("scsi: bnx2fc: Fix error handling
in probe()"), qedf_cmd_mgr_alloc() allocates cmgr->io_bdt_pool
without initializing it with zero. Though each item of this array
is explicitly initialized with kmalloc() in the for-loop below,
kmalloc() may fail in the middle of the loop and make the caller
go into qedf_cmd_mgr_free(), where some uninitialized
cmgr->io_bdt_pool items are accessed.Fix this by allocating cmgr->io_bdt_pool with kcalloc(). Signed-off-by: Wang Xiayang <[email protected]> --- drivers/scsi/qedf/qedf_io.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/scsi/qedf/qedf_io.c b/drivers/scsi/qedf/qedf_io.c index d881e822f92c..2851b0cd1df8 100644 --- a/drivers/scsi/qedf/qedf_io.c +++ b/drivers/scsi/qedf/qedf_io.c @@ -254,7 +254,7 @@ struct qedf_cmd_mgr *qedf_cmd_mgr_alloc(struct qedf_ctx *qedf) } /* Allocate pool of io_bdts - one for each qedf_ioreq */ - cmgr->io_bdt_pool = kmalloc_array(num_ios, sizeof(struct io_bdt *), + cmgr->io_bdt_pool = kcalloc(num_ios, sizeof(struct io_bdt *), GFP_KERNEL); if (!cmgr->io_bdt_pool) { -- 2.11.0
