mpi3mr: fix a double free

Message ID	20210604182615.9593-1-thenzl@redhat.com (mailing list archive)
State	Superseded
Headers	show Return-Path: <linux-scsi-owner@kernel.org> From: Tomas Henzl <thenzl@redhat.com> To: linux-scsi@vger.kernel.org Cc: kashyap.desai@broadcom.com, sathya.prakash@broadcom.com Subject: [PATCH] mpi3mr: fix a double free Date: Fri, 4 Jun 2021 20:26:15 +0200 Message-Id: <20210604182615.9593-1-thenzl@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	mpi3mr: fix a double free \| expand mpi3mr: fix a double free

Message ID

20210604182615.9593-1-thenzl@redhat.com (mailing list archive)

State

Superseded

Headers

From: Tomas Henzl <thenzl@redhat.com>
To: linux-scsi@vger.kernel.org
Cc: kashyap.desai@broadcom.com, sathya.prakash@broadcom.com
Subject: [PATCH] mpi3mr: fix a double free
Date: Fri,  4 Jun 2021 20:26:15 +0200
Message-Id: <20210604182615.9593-1-thenzl@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

mpi3mr: fix a double free | expand

Commit Message

Tomas Henzl June 4, 2021, 6:26 p.m. UTC

Fix a double free, scsi_tgt_priv_data will be freed
in mpi3mr_target_destroy.
I've also removed a second init of starget->hostdata
with the same value.

Signed-off-by: Tomas Henzl <thenzl@redhat.com>
---
 drivers/scsi/mpi3mr/mpi3mr_os.c | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

Comments

Kashyap Desai June 7, 2021, 8:08 p.m. UTC | #1

> -----Original Message-----
> From: Tomas Henzl [mailto:thenzl@redhat.com]
> Sent: Friday, June 4, 2021 11:56 PM
> To: linux-scsi@vger.kernel.org
> Cc: kashyap.desai@broadcom.com; sathya.prakash@broadcom.com
> Subject: [PATCH] mpi3mr: fix a double free
>
> Fix a double free, scsi_tgt_priv_data will be freed in
mpi3mr_target_destroy.
> I've also removed a second init of starget->hostdata with the same
value.
>

Tomas -

Patch looks good. We can also include below changes on top of your current
patch.

--- a/drivers/scsi/mpi3mr/mpi3mr_os.c
+++ b/drivers/scsi/mpi3mr/mpi3mr_os.c
@@ -3293,10 +3293,6 @@ static int mpi3mr_target_alloc(struct scsi_target
*starget)
        if (!scsi_tgt_priv_data)
                return -ENOMEM;

-       starget->hostdata = scsi_tgt_priv_data;
-       scsi_tgt_priv_data->starget = starget;
-       scsi_tgt_priv_data->dev_handle = MPI3MR_INVALID_DEV_HANDLE;
-
        spin_lock_irqsave(&mrioc->tgtdev_lock, flags);
        tgt_dev = __mpi3mr_get_tgtdev_by_perst_id(mrioc, starget->id);
        if (tgt_dev && !tgt_dev->is_hidden) {

diff --git a/drivers/scsi/mpi3mr/mpi3mr_os.c b/drivers/scsi/mpi3mr/mpi3mr_os.c
index a54aa009ec5a..0681d9133fe4 100644
--- a/drivers/scsi/mpi3mr/mpi3mr_os.c
+++ b/drivers/scsi/mpi3mr/mpi3mr_os.c
@@ -3300,7 +3300,6 @@  static int mpi3mr_target_alloc(struct scsi_target *starget)
 	spin_lock_irqsave(&mrioc->tgtdev_lock, flags);
 	tgt_dev = __mpi3mr_get_tgtdev_by_perst_id(mrioc, starget->id);
 	if (tgt_dev && !tgt_dev->is_hidden) {
-		starget->hostdata = scsi_tgt_priv_data;
 		scsi_tgt_priv_data->starget = starget;
 		scsi_tgt_priv_data->dev_handle = tgt_dev->dev_handle;
 		scsi_tgt_priv_data->perst_id = tgt_dev->perst_id;
@@ -3309,10 +3308,8 @@  static int mpi3mr_target_alloc(struct scsi_target *starget)
 		tgt_dev->starget = starget;
 		atomic_set(&scsi_tgt_priv_data->block_io, 0);
 		retval = 0;
-	} else {
-		kfree(scsi_tgt_priv_data);
+	} else
 		retval = -ENXIO;
-	}
 	spin_unlock_irqrestore(&mrioc->tgtdev_lock, flags);
 
 	return retval;