All of lore.kernel.org
 help / color / mirror / Atom feed
From: Dan Carpenter <dan.carpenter@oracle.com>
To: jsmart2021@gmail.com
Cc: linux-scsi@vger.kernel.org
Subject: [bug report] scsi: elx: efct: LIO backend interface routines
Date: Fri, 18 Jun 2021 08:28:46 +0300	[thread overview]
Message-ID: <YMwvDl71G6IWHUWN@mwanda> (raw)

Hello James Smart,

The patch 692e5d73a811: "scsi: elx: efct: LIO backend interface
routines" from Jun 1, 2021, leads to the following static checker
warning:

	drivers/scsi/elx/efct/efct_lio.c:851 efct_lio_npiv_make_nport()
	warn: '&vport_list->list_entry' not removed from list

drivers/scsi/elx/efct/efct_lio.c
   828          vport_list = kzalloc(sizeof(*vport_list), GFP_KERNEL);
   829          if (!vport_list) {
   830                  kfree(lio_vport);
   831                  return ERR_PTR(-ENOMEM);
   832          }
   833  
   834          vport_list->lio_vport = lio_vport;
   835          spin_lock_irqsave(&efct->tgt_efct.efct_lio_lock, flags);
   836          INIT_LIST_HEAD(&vport_list->list_entry);
   837          list_add_tail(&vport_list->list_entry, &efct->tgt_efct.vport_list);
                               ^^^^^^^^^^^^^^^^^^^^^^
Is it possible to add this to the list after fc_vport_create() succeeds?

   838          spin_unlock_irqrestore(&efct->tgt_efct.efct_lio_lock, flags);
   839  
   840          memset(&vport_id, 0, sizeof(vport_id));
   841          vport_id.port_name = npiv_wwpn;
   842          vport_id.node_name = npiv_wwnn;
   843          vport_id.roles = FC_PORT_ROLE_FCP_INITIATOR;
   844          vport_id.vport_type = FC_PORTTYPE_NPIV;
   845          vport_id.disable = false;
   846  
   847          new_fc_vport = fc_vport_create(efct->shost, 0, &vport_id);
   848          if (!new_fc_vport) {
   849                  efc_log_err(efct, "fc_vport_create failed\n");
   850                  kfree(lio_vport);
   851                  kfree(vport_list);

In the corrent code we free it without removing it from the list which
leads to a use after free.

   852                  return ERR_PTR(-ENOMEM);
   853          }
   854  
   855          lio_vport->fc_vport = new_fc_vport;
   856  
   857          return &lio_vport->vport_wwn;
   858  }

regards,
dan carpenter

             reply	other threads:[~2021-06-18  5:28 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-06-18  5:28 Dan Carpenter [this message]
  -- strict thread matches above, loose matches on Subject: below --
2021-08-31 11:26 [bug report] scsi: elx: efct: LIO backend interface routines Dan Carpenter

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YMwvDl71G6IWHUWN@mwanda \
    --to=dan.carpenter@oracle.com \
    --cc=jsmart2021@gmail.com \
    --cc=linux-scsi@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.