| Message ID | 20210608145712.16386-1-thenzl@redhat.com (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [V2] mpi3mr: fix a double free | expand |
> > Fix a double free, scsi_tgt_priv_data will be freed in mpi3mr_target_destroy > so remove the kfree from mpi3mr_target_alloc. > I've also removed few unneeded initialisations. > > Signed-off-by: Tomas Henzl <thenzl@redhat.com> > --- > V2: removed init of scsi_tgt_priv_data->starget = starget and > scsi_tgt_priv_data->dev_handle = MPI3MR_INVALID_DEV_HANDLE suggested > by Kashyap > > > drivers/scsi/mpi3mr/mpi3mr_os.c | 7 +------ > 1 file changed, 1 insertion(+), 6 deletions(-) > > diff --git a/drivers/scsi/mpi3mr/mpi3mr_os.c > b/drivers/scsi/mpi3mr/mpi3mr_os.c index a54aa009ec5a..29d43235b525 > 100644 > --- a/drivers/scsi/mpi3mr/mpi3mr_os.c > +++ b/drivers/scsi/mpi3mr/mpi3mr_os.c > @@ -3294,13 +3294,10 @@ static int mpi3mr_target_alloc(struct scsi_target > *starget) > return -ENOMEM; > > starget->hostdata = scsi_tgt_priv_data; > - scsi_tgt_priv_data->starget = starget; > - scsi_tgt_priv_data->dev_handle = MPI3MR_INVALID_DEV_HANDLE; > > spin_lock_irqsave(&mrioc->tgtdev_lock, flags); > tgt_dev = __mpi3mr_get_tgtdev_by_perst_id(mrioc, starget->id); > if (tgt_dev && !tgt_dev->is_hidden) { > - starget->hostdata = scsi_tgt_priv_data; > scsi_tgt_priv_data->starget = starget; > scsi_tgt_priv_data->dev_handle = tgt_dev->dev_handle; > scsi_tgt_priv_data->perst_id = tgt_dev->perst_id; @@ - > 3309,10 +3306,8 @@ static int mpi3mr_target_alloc(struct scsi_target > *starget) > tgt_dev->starget = starget; > atomic_set(&scsi_tgt_priv_data->block_io, 0); > retval = 0; > - } else { > - kfree(scsi_tgt_priv_data); > + } else > retval = -ENXIO; > - } > spin_unlock_irqrestore(&mrioc->tgtdev_lock, flags); > > return retval; Acked-by: Kashyap Desai <kashyap.desai@broadcom.com>
Tomas, > Fix a double free, scsi_tgt_priv_data will be freed in > mpi3mr_target_destroy so remove the kfree from mpi3mr_target_alloc. > I've also removed few unneeded initialisations. Applied to 5.14/scsi-staging, thanks!
On Tue, 8 Jun 2021 16:57:12 +0200, Tomas Henzl wrote: > Fix a double free, scsi_tgt_priv_data will be freed > in mpi3mr_target_destroy so remove the kfree from > mpi3mr_target_alloc. > I've also removed few unneeded initialisations. Applied to 5.14/scsi-queue, thanks! [1/1] mpi3mr: fix a double free https://git.kernel.org/mkp/scsi/c/d3d61f9c8c2d
diff --git a/drivers/scsi/mpi3mr/mpi3mr_os.c b/drivers/scsi/mpi3mr/mpi3mr_os.c index a54aa009ec5a..29d43235b525 100644 --- a/drivers/scsi/mpi3mr/mpi3mr_os.c +++ b/drivers/scsi/mpi3mr/mpi3mr_os.c @@ -3294,13 +3294,10 @@ static int mpi3mr_target_alloc(struct scsi_target *starget) return -ENOMEM; starget->hostdata = scsi_tgt_priv_data; - scsi_tgt_priv_data->starget = starget; - scsi_tgt_priv_data->dev_handle = MPI3MR_INVALID_DEV_HANDLE; spin_lock_irqsave(&mrioc->tgtdev_lock, flags); tgt_dev = __mpi3mr_get_tgtdev_by_perst_id(mrioc, starget->id); if (tgt_dev && !tgt_dev->is_hidden) { - starget->hostdata = scsi_tgt_priv_data; scsi_tgt_priv_data->starget = starget; scsi_tgt_priv_data->dev_handle = tgt_dev->dev_handle; scsi_tgt_priv_data->perst_id = tgt_dev->perst_id; @@ -3309,10 +3306,8 @@ static int mpi3mr_target_alloc(struct scsi_target *starget) tgt_dev->starget = starget; atomic_set(&scsi_tgt_priv_data->block_io, 0); retval = 0; - } else { - kfree(scsi_tgt_priv_data); + } else retval = -ENXIO; - } spin_unlock_irqrestore(&mrioc->tgtdev_lock, flags); return retval;
Fix a double free, scsi_tgt_priv_data will be freed in mpi3mr_target_destroy so remove the kfree from mpi3mr_target_alloc. I've also removed few unneeded initialisations. Signed-off-by: Tomas Henzl <thenzl@redhat.com> --- V2: removed init of scsi_tgt_priv_data->starget = starget and scsi_tgt_priv_data->dev_handle = MPI3MR_INVALID_DEV_HANDLE suggested by Kashyap drivers/scsi/mpi3mr/mpi3mr_os.c | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-)