From: Deepak Ukey <deepak.ukey@microchip.com>
To: <linux-scsi@vger.kernel.org>
Cc: <Vasanthalakshmi.Tharmarajan@microchip.com>,
<Viswas.G@microchip.com>, <deepak.ukey@microchip.com>,
<jinpu.wang@profitbricks.com>, <martin.petersen@oracle.com>,
<dpf@google.com>, <jsperbeck@google.com>, <auradkar@google.com>,
<ianyar@google.com>
Subject: [PATCH 06/12] pm80xx : Fix dereferencing dangling pointer.
Date: Thu, 31 Oct 2019 10:42:35 +0530 [thread overview]
Message-ID: <20191031051241.6762-7-deepak.ukey@microchip.com> (raw)
In-Reply-To: <20191031051241.6762-1-deepak.ukey@microchip.com>
From: Vikram Auradkar <auradkar@google.com>
sas_task structure should not be used after task_done is called.
If the device is gone or not attached, we call task_done on t and
continue to use in the sas_task in rest of the function. task_done
is pointing to sas_ata_task_done, may free the memory associated
with the task before returning.
Signed-off-by: Vikram Auradkar <auradkar@google.com>
Signed-off-by: Deepak Ukey <deepak.ukey@microchip.com>
Signed-off-by: Viswas G <Viswas.G@microchip.com>
---
drivers/scsi/pm8001/pm8001_sas.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/drivers/scsi/pm8001/pm8001_sas.c b/drivers/scsi/pm8001/pm8001_sas.c
index 447a66d60275..4491de8d40fc 100644
--- a/drivers/scsi/pm8001/pm8001_sas.c
+++ b/drivers/scsi/pm8001/pm8001_sas.c
@@ -388,6 +388,7 @@ static int pm8001_task_exec(struct sas_task *task,
struct pm8001_ccb_info *ccb;
u32 tag = 0xdeadbeef, rc = 0, n_elem = 0;
unsigned long flags = 0;
+ enum sas_protocol task_proto = t->task_proto;
if (!dev->port) {
struct task_status_struct *tsm = &t->task_status;
@@ -412,7 +413,7 @@ static int pm8001_task_exec(struct sas_task *task,
pm8001_dev = dev->lldd_dev;
port = &pm8001_ha->port[sas_find_local_port_id(dev)];
if (DEV_IS_GONE(pm8001_dev) || !port->port_attached) {
- if (sas_protocol_ata(t->task_proto)) {
+ if (sas_protocol_ata(task_proto)) {
struct task_status_struct *ts = &t->task_status;
ts->resp = SAS_TASK_UNDELIVERED;
ts->stat = SAS_PHY_DOWN;
@@ -434,7 +435,7 @@ static int pm8001_task_exec(struct sas_task *task,
goto err_out;
ccb = &pm8001_ha->ccb_info[tag];
- if (!sas_protocol_ata(t->task_proto)) {
+ if (!sas_protocol_ata(task_proto)) {
if (t->num_scatter) {
n_elem = dma_map_sg(pm8001_ha->dev,
t->scatter,
@@ -454,7 +455,7 @@ static int pm8001_task_exec(struct sas_task *task,
ccb->ccb_tag = tag;
ccb->task = t;
ccb->device = pm8001_dev;
- switch (t->task_proto) {
+ switch (task_proto) {
case SAS_PROTOCOL_SMP:
rc = pm8001_task_prep_smp(pm8001_ha, ccb);
break;
@@ -471,8 +472,7 @@ static int pm8001_task_exec(struct sas_task *task,
break;
default:
dev_printk(KERN_ERR, pm8001_ha->dev,
- "unknown sas_task proto: 0x%x\n",
- t->task_proto);
+ "unknown sas_task proto: 0x%x\n", task_proto);
rc = -EINVAL;
break;
}
@@ -495,7 +495,7 @@ static int pm8001_task_exec(struct sas_task *task,
pm8001_tag_free(pm8001_ha, tag);
err_out:
dev_printk(KERN_ERR, pm8001_ha->dev, "pm8001 exec failed[%d]!\n", rc);
- if (!sas_protocol_ata(t->task_proto))
+ if (!sas_protocol_ata(task_proto))
if (n_elem)
dma_unmap_sg(pm8001_ha->dev, t->scatter, t->num_scatter,
t->data_dir);
--
2.16.3
next prev parent reply other threads:[~2019-10-31 5:12 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-31 5:12 [PATCH 00/12] pm80xx : Updates for the driver version 0.1.39 Deepak Ukey
2019-10-31 5:12 ` [PATCH 01/12] pm80xx : Fix for SATA device discovery Deepak Ukey
2019-11-01 9:16 ` Jinpu Wang
2019-10-31 5:12 ` [PATCH 02/12] pm80xx : Initialize variable used as return status Deepak Ukey
2019-11-01 9:17 ` Jinpu Wang
2019-10-31 5:12 ` [PATCH 03/12] pm80xx : Convert 'long' mdelay to msleep Deepak Ukey
2019-11-01 9:19 ` Jinpu Wang
2019-10-31 5:12 ` [PATCH 04/12] pm80xx : Squashed logging cleanup changes Deepak Ukey
2019-11-06 10:22 ` Jinpu Wang
2019-10-31 5:12 ` [PATCH 05/12] pm80xx : Increase timeout for pm80xx mpi_uninit_check Deepak Ukey
2019-11-06 10:24 ` Jinpu Wang
2019-10-31 5:12 ` Deepak Ukey [this message]
2019-11-06 10:28 ` [PATCH 06/12] pm80xx : Fix dereferencing dangling pointer Jinpu Wang
2019-10-31 5:12 ` [PATCH 07/12] pm80xx : Fix command issue sizing Deepak Ukey
2019-11-06 10:33 ` Jinpu Wang
2019-10-31 5:12 ` [PATCH 08/12] pm80xx : Cleanup command when a reset times out Deepak Ukey
2019-11-06 10:39 ` Jinpu Wang
2019-10-31 5:12 ` [PATCH 09/12] pm80xx : Do not request 12G sas speeds Deepak Ukey
2019-11-06 10:43 ` Jinpu Wang
2019-10-31 5:12 ` [PATCH 10/12] pm80xx : Controller fatal error through sysfs Deepak Ukey
2019-11-06 10:49 ` Jinpu Wang
2019-11-07 6:20 ` Deepak.Ukey
2019-11-07 8:36 ` Jinpu Wang
2019-10-31 5:12 ` [PATCH 11/12] pm80xx : Tie the interrupt name to the module instance Deepak Ukey
2019-11-06 10:52 ` Jinpu Wang
2019-10-31 5:12 ` [PATCH 12/12] pm80xx : Modified the logic to collect fatal dump Deepak Ukey
2019-11-02 2:52 ` kbuild test robot
2019-11-02 2:52 ` kbuild test robot
2019-11-06 21:25 ` kbuild test robot
2019-11-06 21:25 ` kbuild test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191031051241.6762-7-deepak.ukey@microchip.com \
--to=deepak.ukey@microchip.com \
--cc=Vasanthalakshmi.Tharmarajan@microchip.com \
--cc=Viswas.G@microchip.com \
--cc=auradkar@google.com \
--cc=dpf@google.com \
--cc=ianyar@google.com \
--cc=jinpu.wang@profitbricks.com \
--cc=jsperbeck@google.com \
--cc=linux-scsi@vger.kernel.org \
--cc=martin.petersen@oracle.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.