| Message ID | 1460130162-30011-1-git-send-email-sudipm.mukherjee@gmail.com (mailing list archive) |
|---|---|
| State | Changes Requested, archived |
| Headers | show |
>>>>> "Sudip" == Sudip Mukherjee <sudipm.mukherjee@gmail.com> writes:
Sudip> We are dereferencing ioc->sense_dma_pool in pci_pool_free() and
Sudip> after that we are checking if it is NULL, before calling
Sudip> pci_pool_destroy(). Lets check if it is NULL before calling both
Sudip> pci_pool_free() and pci_pool_destroy().
Broadcom folks, please review.
We need to do some more changes in this. The concept is first pool alloc and then memory alloc in the pool, so the memory has to be freed if the memory is allocated in the pool and irrespective of memory allocated or not the pool has to be destroyed if it is created. We will work internally and provide a complete patch. Thanks Sathya -----Original Message----- From: Martin K. Petersen [mailto:martin.petersen@oracle.com] Sent: Thursday, April 14, 2016 8:44 PM To: Sudip Mukherjee Cc: Sathya Prakash; Chaitra P B; Suganath Prabu Subramani; James E.J. Bottomley; Martin K. Petersen; linux-kernel@vger.kernel.org; MPT-FusionLinux.pdl@broadcom.com; linux-scsi@vger.kernel.org Subject: Re: [PATCH] mpt3sas: fix possible NULL dereference >>>>> "Sudip" == Sudip Mukherjee <sudipm.mukherjee@gmail.com> writes: Sudip> We are dereferencing ioc->sense_dma_pool in pci_pool_free() and Sudip> after that we are checking if it is NULL, before calling Sudip> pci_pool_destroy(). Lets check if it is NULL before calling both Sudip> pci_pool_free() and pci_pool_destroy(). Broadcom folks, please review.
diff --git a/drivers/scsi/mpt3sas/mpt3sas_base.c b/drivers/scsi/mpt3sas/mpt3sas_base.c index 8c44b9c..778c2ec 100644 --- a/drivers/scsi/mpt3sas/mpt3sas_base.c +++ b/drivers/scsi/mpt3sas/mpt3sas_base.c @@ -3087,9 +3087,11 @@ _base_release_memory_pools(struct MPT3SAS_ADAPTER *ioc) } if (ioc->sense) { - pci_pool_free(ioc->sense_dma_pool, ioc->sense, ioc->sense_dma); - if (ioc->sense_dma_pool) + if (ioc->sense_dma_pool) { + pci_pool_free(ioc->sense_dma_pool, ioc->sense, + ioc->sense_dma); pci_pool_destroy(ioc->sense_dma_pool); + } dexitprintk(ioc, pr_info(MPT3SAS_FMT "sense_pool(0x%p): free\n", ioc->name, ioc->sense));
We are dereferencing ioc->sense_dma_pool in pci_pool_free() and after that we are checking if it is NULL, before calling pci_pool_destroy(). Lets check if it is NULL before calling both pci_pool_free() and pci_pool_destroy(). Signed-off-by: Sudip Mukherjee <sudip.mukherjee@codethink.co.uk> --- drivers/scsi/mpt3sas/mpt3sas_base.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)