diff mbox series

SCSI: qla4xxx: fix double free bug

Message ID 1572945927-27796-1-git-send-email-bianpan2016@163.com (mailing list archive)
State Mainlined
Commit 3fe3d2428b62822b7b030577cd612790bdd8c941
Headers show
Series SCSI: qla4xxx: fix double free bug | expand

Commit Message

Pan Bian Nov. 5, 2019, 9:25 a.m. UTC 
The variable init_fw_cb is released twice, resulting in a double free
bug. The call to the function dma_free_coherent() before goto is removed
to get rid of potential double free.

Fixes: 2a49a78ed3c ("[SCSI] qla4xxx: added IPv6 support.")
Signed-off-by: Pan Bian <bianpan2016@163.com>
---
 drivers/scsi/qla4xxx/ql4_mbx.c | 3 ---
 1 file changed, 3 deletions(-)

Comments

Manish Rangankar Nov. 14, 2019, 4:42 a.m. UTC | #1 
> -----Original Message-----
> From: linux-scsi-owner@vger.kernel.org <linux-scsi-
> owner@vger.kernel.org> On Behalf Of Pan Bian
> Sent: Tuesday, November 5, 2019 2:55 PM
> To: QLogic-Storage-Upstream@qlogic.com; James E.J. Bottomley
> <jejb@linux.ibm.com>; Martin K. Petersen <martin.petersen@oracle.com>
> Cc: linux-scsi@vger.kernel.org; linux-kernel@vger.kernel.org; Pan Bian
> <bianpan2016@163.com>
> Subject: [PATCH] SCSI: qla4xxx: fix double free bug
> 
> The variable init_fw_cb is released twice, resulting in a double free bug. The
> call to the function dma_free_coherent() before goto is removed to get rid
> of potential double free.
> 
> Fixes: 2a49a78ed3c ("[SCSI] qla4xxx: added IPv6 support.")
> Signed-off-by: Pan Bian <bianpan2016@163.com>
> ---
>  drivers/scsi/qla4xxx/ql4_mbx.c | 3 ---
>  1 file changed, 3 deletions(-)
> 
> diff --git a/drivers/scsi/qla4xxx/ql4_mbx.c b/drivers/scsi/qla4xxx/ql4_mbx.c
> index dac9a7013208..02636b4785c5 100644
> --- a/drivers/scsi/qla4xxx/ql4_mbx.c
> +++ b/drivers/scsi/qla4xxx/ql4_mbx.c
> @@ -640,9 +640,6 @@ int qla4xxx_initialize_fw_cb(struct scsi_qla_host *
> ha)
> 
>  	if (qla4xxx_get_ifcb(ha, &mbox_cmd[0], &mbox_sts[0],
> init_fw_cb_dma) !=
>  	    QLA_SUCCESS) {
> -		dma_free_coherent(&ha->pdev->dev,
> -				  sizeof(struct addr_ctrl_blk),
> -				  init_fw_cb, init_fw_cb_dma);
>  		goto exit_init_fw_cb;
>  	}

Thanks

Acked-by: Manish Rangankar <mrangankar@marvell.com>
Martin K. Petersen Nov. 19, 2019, 4:30 a.m. UTC | #2 
Pan,

> The variable init_fw_cb is released twice, resulting in a double free
> bug. The call to the function dma_free_coherent() before goto is
> removed to get rid of potential double free.

Applied to 5.5/scsi-queue, thanks!
diff mbox series

Patch

diff --git a/drivers/scsi/qla4xxx/ql4_mbx.c b/drivers/scsi/qla4xxx/ql4_mbx.c
index dac9a7013208..02636b4785c5 100644
--- a/drivers/scsi/qla4xxx/ql4_mbx.c
+++ b/drivers/scsi/qla4xxx/ql4_mbx.c
@@ -640,9 +640,6 @@  int qla4xxx_initialize_fw_cb(struct scsi_qla_host * ha)
 
 	if (qla4xxx_get_ifcb(ha, &mbox_cmd[0], &mbox_sts[0], init_fw_cb_dma) !=
 	    QLA_SUCCESS) {
-		dma_free_coherent(&ha->pdev->dev,
-				  sizeof(struct addr_ctrl_blk),
-				  init_fw_cb, init_fw_cb_dma);
 		goto exit_init_fw_cb;
 	}