scsi: dpt_i2o: double free on error path

Message ID	20161130193648.GA24818@mwanda (mailing list archive)
State	Accepted, archived
Headers	show Return-Path: <linux-scsi-owner@kernel.org> Date: Wed, 30 Nov 2016 22:36:48 +0300 From: Dan Carpenter <dan.carpenter@oracle.com> To: Adaptec OEM Raid Solutions <aacraid@adaptec.com>, Quentin Lambert <lambert.quentin@gmail.com> Cc: "James E.J. Bottomley" <jejb@linux.vnet.ibm.com>, "Martin K. Petersen" <martin.petersen@oracle.com>, linux-scsi@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: [patch] scsi: dpt_i2o: double free on error path Message-ID: <20161130193648.GA24818@mwanda> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.6.0 (2016-04-01) Sender: linux-scsi-owner@vger.kernel.org Precedence: bulk

Message ID

20161130193648.GA24818@mwanda (mailing list archive)

State

Accepted, archived

Headers

Date: Wed, 30 Nov 2016 22:36:48 +0300
From: Dan Carpenter <dan.carpenter@oracle.com>
To: Adaptec OEM Raid Solutions <aacraid@adaptec.com>,
	Quentin Lambert <lambert.quentin@gmail.com>
Cc: "James E.J. Bottomley" <jejb@linux.vnet.ibm.com>,
	"Martin K. Petersen" <martin.petersen@oracle.com>,
	linux-scsi@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: [patch] scsi: dpt_i2o: double free on error path
Message-ID: <20161130193648.GA24818@mwanda>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.6.0 (2016-04-01)
Sender: linux-scsi-owner@vger.kernel.org
Precedence: bulk

Commit Message

Dan Carpenter Nov. 30, 2016, 7:36 p.m. UTC

We recently introduced a kfree() in the caller for this function.
That's where, logically, you would think the kfree() should be.
Unfortunately the code was just ugly and not buggy so the static
checker warning was a false postive and introduced a double free.

I've removed the old kfree() and left the new one.

Fixes: 021e2927586d ("scsi: dpt_i2o: Add a missing call to kfree")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

--
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Comments

Quentin Lambert Nov. 30, 2016, 8:18 p.m. UTC | #1

On 11/30/2016 08:36 PM, Dan Carpenter wrote:
> We recently introduced a kfree() in the caller for this function.
> That's where, logically, you would think the kfree() should be.
> Unfortunately the code was just ugly and not buggy so the static
> checker warning was a false postive and introduced a double free.
>
oh, yes! Sorry I missed that.

Quentin
--
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Martin K. Petersen Dec. 1, 2016, 12:54 a.m. UTC | #2

>>>>> "Dan" == Dan Carpenter <dan.carpenter@oracle.com> writes:

Dan> We recently introduced a kfree() in the caller for this function.
Dan> That's where, logically, you would think the kfree() should be.
Dan> Unfortunately the code was just ugly and not buggy so the static
Dan> checker warning was a false postive and introduced a double free.

Dan> I've removed the old kfree() and left the new one.

Applied to 4.10/scsi-queue.

diff --git a/drivers/scsi/dpt_i2o.c b/drivers/scsi/dpt_i2o.c
index f88b3d2..27c0dce 100644
--- a/drivers/scsi/dpt_i2o.c
+++ b/drivers/scsi/dpt_i2o.c
@@ -651,7 +651,6 @@  static u32 adpt_ioctl_to_context(adpt_hba * pHba, void *reply)
 	}
 	spin_unlock_irqrestore(pHba->host->host_lock, flags);
 	if (i >= nr) {
-		kfree (reply);
 		printk(KERN_WARNING"%s: Too many outstanding "
 				"ioctl commands\n", pHba->name);
 		return (u32)-1;

scsi: dpt_i2o: double free on error path

Commit Message

Comments

Patch