scsi: dpt_i2o: double free if adpt_i2o_online_hba() fails

Commit Message

Dan Carpenter Dec. 16, 2016, 9:35 a.m. UTC

There are two places where adpt_i2o_online_hba() is called.  Both
callers call adpt_i2o_delete_hba(pHba) if adpt_i2o_online_hba() fails
and since we also free it here that causes a double free bug.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
This bug pre-dates git.

--
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Comments

Martin K. Petersen Dec. 20, 2016, 10:46 p.m. UTC | #1

>>>>> "Dan" == Dan Carpenter <dan.carpenter@oracle.com> writes:

Dan> There are two places where adpt_i2o_online_hba() is called.  Both
Dan> callers call adpt_i2o_delete_hba(pHba) if adpt_i2o_online_hba()
Dan> fails and since we also free it here that causes a double free bug.

Applied to 4.11/scsi-queue.

Patch

diff --git a/drivers/scsi/dpt_i2o.c b/drivers/scsi/dpt_i2o.c
index 27c0dce22e72..7d32c2f07067 100644
--- a/drivers/scsi/dpt_i2o.c
+++ b/drivers/scsi/dpt_i2o.c
@@ -2768,16 +2768,12 @@  static int adpt_i2o_activate_hba(adpt_hba* pHba)
  
 static int adpt_i2o_online_hba(adpt_hba* pHba)
 {
-	if (adpt_i2o_systab_send(pHba) < 0) {
-		adpt_i2o_delete_hba(pHba);
+	if (adpt_i2o_systab_send(pHba) < 0)
 		return -1;
-	}
 	/* In READY state */
 
-	if (adpt_i2o_enable_hba(pHba) < 0) {
-		adpt_i2o_delete_hba(pHba);
+	if (adpt_i2o_enable_hba(pHba) < 0)
 		return -1;
-	}
 
 	/* In OPERATIONAL state  */
 	return 0;