From: SF Markus Elfring <elfring@users.sourceforge.net>
To: linux-scsi@vger.kernel.org, aacraid@microsemi.com,
"James E. J. Bottomley" <jejb@linux.vnet.ibm.com>,
"Martin K. Petersen" <martin.petersen@oracle.com>
Cc: LKML <linux-kernel@vger.kernel.org>,
kernel-janitors@vger.kernel.org,
Julia Lawall <julia.lawall@lip6.fr>
Subject: [PATCH 2/7] aacraid: One function call less in aac_send_raw_srb() after error detection
Date: Sun, 21 Aug 2016 09:20:45 +0200 [thread overview]
Message-ID: <1e07bef4-1bdd-f2af-b316-6d577c616d99@users.sourceforge.net> (raw)
In-Reply-To: <40d8607f-3934-c31f-3791-ef6a67d65d45@users.sourceforge.net>
>From e8187662ee30aab709a260c72fb86c51673f8e0d Mon Sep 17 00:00:00 2001
From: Markus Elfring <elfring@users.sourceforge.net>
Date: Sat, 20 Aug 2016 20:40:47 +0200
Subject: [PATCH 2/7] aacraid: One function call less in aac_send_raw_srb()
after error detection
The kfree() function was called in a few cases by the
aac_send_raw_srb() function during error handling
even if the variable "user_srbcmd" contained eventually
an inappropriate pointer value.
Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
---
drivers/scsi/aacraid/commctrl.c | 49 ++++++++++++++++++++---------------------
1 file changed, 24 insertions(+), 25 deletions(-)
diff --git a/drivers/scsi/aacraid/commctrl.c b/drivers/scsi/aacraid/commctrl.c
index 1af3084..6dcdf91 100644
--- a/drivers/scsi/aacraid/commctrl.c
+++ b/drivers/scsi/aacraid/commctrl.c
@@ -517,19 +517,19 @@ static int aac_send_raw_srb(struct aac_dev* dev, void __user * arg)
if(copy_from_user(&fibsize, &user_srb->count,sizeof(u32))){
dprintk((KERN_DEBUG"aacraid: Could not copy data size from user\n"));
rcode = -EFAULT;
- goto cleanup;
+ goto free_sg_list;
}
if ((fibsize < (sizeof(struct user_aac_srb) - sizeof(struct user_sgentry))) ||
(fibsize > (dev->max_fib_size - sizeof(struct aac_fibhdr)))) {
rcode = -EINVAL;
- goto cleanup;
+ goto free_sg_list;
}
user_srbcmd = memdup_user(user_srb, fibsize);
if (IS_ERR(user_srbcmd)) {
rcode = PTR_ERR(user_srbcmd);
- goto cleanup;
+ goto free_sg_list;
}
user_reply = arg+fibsize;
@@ -564,7 +564,7 @@ static int aac_send_raw_srb(struct aac_dev* dev, void __user * arg)
dprintk((KERN_DEBUG"aacraid: too many sg entries %d\n",
le32_to_cpu(srbcmd->sg.count)));
rcode = -EINVAL;
- goto cleanup;
+ goto free_user_srbcmd;
}
actual_fibsize = sizeof(struct aac_srb) - sizeof(struct sgentry) +
((user_srbcmd->sg.count & 0xff) * sizeof(struct sgentry));
@@ -580,12 +580,12 @@ static int aac_send_raw_srb(struct aac_dev* dev, void __user * arg)
sizeof(struct aac_srb), sizeof(struct sgentry),
sizeof(struct sgentry64), fibsize));
rcode = -EINVAL;
- goto cleanup;
+ goto free_user_srbcmd;
}
if ((data_dir == DMA_NONE) && user_srbcmd->sg.count) {
dprintk((KERN_DEBUG"aacraid: SG with no direction specified in Raw SRB command\n"));
rcode = -EINVAL;
- goto cleanup;
+ goto free_user_srbcmd;
}
byte_count = 0;
if (dev->adapter_info.options & AAC_OPT_SGMAP_HOST64) {
@@ -606,7 +606,7 @@ static int aac_send_raw_srb(struct aac_dev* dev, void __user * arg)
(dev->scsi_host_ptr->max_sectors << 9) :
65536)) {
rcode = -EINVAL;
- goto cleanup;
+ goto free_user_srbcmd;
}
/* Does this really need to be GFP_DMA? */
p = kmalloc(upsg->sg[i].count,GFP_KERNEL|__GFP_DMA);
@@ -614,7 +614,7 @@ static int aac_send_raw_srb(struct aac_dev* dev, void __user * arg)
dprintk((KERN_DEBUG"aacraid: Could not allocate SG buffer - size = %d buffer number %d of %d\n",
upsg->sg[i].count,i,upsg->count));
rcode = -ENOMEM;
- goto cleanup;
+ goto free_user_srbcmd;
}
addr = (u64)upsg->sg[i].addr[0];
addr += ((u64)upsg->sg[i].addr[1]) << 32;
@@ -626,7 +626,7 @@ static int aac_send_raw_srb(struct aac_dev* dev, void __user * arg)
if(copy_from_user(p,sg_user[i],upsg->sg[i].count)){
dprintk((KERN_DEBUG"aacraid: Could not copy sg data from user\n"));
rcode = -EFAULT;
- goto cleanup;
+ goto free_user_srbcmd;
}
}
addr = pci_map_single(dev->pdev, p, upsg->sg[i].count, data_dir);
@@ -644,7 +644,7 @@ static int aac_send_raw_srb(struct aac_dev* dev, void __user * arg)
if (!usg) {
dprintk((KERN_DEBUG"aacraid: Allocation error in Raw SRB command\n"));
rcode = -ENOMEM;
- goto cleanup;
+ goto free_user_srbcmd;
}
actual_fibsize = actual_fibsize64;
@@ -658,7 +658,7 @@ static int aac_send_raw_srb(struct aac_dev* dev, void __user * arg)
65536)) {
kfree(usg);
rcode = -EINVAL;
- goto cleanup;
+ goto free_user_srbcmd;
}
/* Does this really need to be GFP_DMA? */
p = kmalloc(usg->sg[i].count,GFP_KERNEL|__GFP_DMA);
@@ -667,7 +667,7 @@ static int aac_send_raw_srb(struct aac_dev* dev, void __user * arg)
usg->sg[i].count,i,usg->count));
kfree(usg);
rcode = -ENOMEM;
- goto cleanup;
+ goto free_user_srbcmd;
}
sg_user[i] = (void __user *)(uintptr_t)usg->sg[i].addr;
sg_list[i] = p; // save so we can clean up later
@@ -678,7 +678,7 @@ static int aac_send_raw_srb(struct aac_dev* dev, void __user * arg)
kfree (usg);
dprintk((KERN_DEBUG"aacraid: Could not copy sg data from user\n"));
rcode = -EFAULT;
- goto cleanup;
+ goto free_user_srbcmd;
}
}
addr = pci_map_single(dev->pdev, p, usg->sg[i].count, data_dir);
@@ -711,7 +711,7 @@ static int aac_send_raw_srb(struct aac_dev* dev, void __user * arg)
(dev->scsi_host_ptr->max_sectors << 9) :
65536)) {
rcode = -EINVAL;
- goto cleanup;
+ goto free_user_srbcmd;
}
/* Does this really need to be GFP_DMA? */
p = kmalloc(usg->sg[i].count,GFP_KERNEL|__GFP_DMA);
@@ -719,7 +719,7 @@ static int aac_send_raw_srb(struct aac_dev* dev, void __user * arg)
dprintk((KERN_DEBUG"aacraid: Could not allocate SG buffer - size = %d buffer number %d of %d\n",
usg->sg[i].count,i,usg->count));
rcode = -ENOMEM;
- goto cleanup;
+ goto free_user_srbcmd;
}
addr = (u64)usg->sg[i].addr[0];
addr += ((u64)usg->sg[i].addr[1]) << 32;
@@ -731,7 +731,7 @@ static int aac_send_raw_srb(struct aac_dev* dev, void __user * arg)
if(copy_from_user(p,sg_user[i],usg->sg[i].count)){
dprintk((KERN_DEBUG"aacraid: Could not copy sg data from user\n"));
rcode = -EFAULT;
- goto cleanup;
+ goto free_user_srbcmd;
}
}
addr = pci_map_single(dev->pdev, p, usg->sg[i].count, data_dir);
@@ -750,14 +750,14 @@ static int aac_send_raw_srb(struct aac_dev* dev, void __user * arg)
(dev->scsi_host_ptr->max_sectors << 9) :
65536)) {
rcode = -EINVAL;
- goto cleanup;
+ goto free_user_srbcmd;
}
p = kmalloc(upsg->sg[i].count, GFP_KERNEL);
if (!p) {
dprintk((KERN_DEBUG"aacraid: Could not allocate SG buffer - size = %d buffer number %d of %d\n",
upsg->sg[i].count, i, upsg->count));
rcode = -ENOMEM;
- goto cleanup;
+ goto free_user_srbcmd;
}
sg_user[i] = (void __user *)(uintptr_t)upsg->sg[i].addr;
sg_list[i] = p; // save so we can clean up later
@@ -768,7 +768,7 @@ static int aac_send_raw_srb(struct aac_dev* dev, void __user * arg)
upsg->sg[i].count)) {
dprintk((KERN_DEBUG"aacraid: Could not copy sg data from user\n"));
rcode = -EFAULT;
- goto cleanup;
+ goto free_user_srbcmd;
}
}
addr = pci_map_single(dev->pdev, p,
@@ -788,13 +788,13 @@ static int aac_send_raw_srb(struct aac_dev* dev, void __user * arg)
}
if (status == -ERESTARTSYS) {
rcode = -ERESTARTSYS;
- goto cleanup;
+ goto free_user_srbcmd;
}
if (status != 0){
dprintk((KERN_DEBUG"aacraid: Could not send raw srb fib to hba\n"));
rcode = -ENXIO;
- goto cleanup;
+ goto free_user_srbcmd;
}
if (flags & SRB_DataIn) {
@@ -806,7 +806,7 @@ static int aac_send_raw_srb(struct aac_dev* dev, void __user * arg)
if(copy_to_user(sg_user[i], sg_list[i], byte_count)){
dprintk((KERN_DEBUG"aacraid: Could not copy sg data to user\n"));
rcode = -EFAULT;
- goto cleanup;
+ goto free_user_srbcmd;
}
}
@@ -816,11 +816,10 @@ static int aac_send_raw_srb(struct aac_dev* dev, void __user * arg)
if(copy_to_user(user_reply,reply,sizeof(struct aac_srb_reply))){
dprintk((KERN_DEBUG"aacraid: Could not copy reply to user\n"));
rcode = -EFAULT;
- goto cleanup;
}
-
-cleanup:
+free_user_srbcmd:
kfree(user_srbcmd);
+free_sg_list:
for(i=0; i <= sg_indx; i++){
kfree(sg_list[i]);
}
--
2.9.3
next prev parent reply other threads:[~2016-08-21 7:20 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <566ABCD9.1060404@users.sourceforge.net>
2015-12-12 14:30 ` [PATCH 0/7] iSCSI-target: Fine-tuning for three function implementations SF Markus Elfring
2015-12-12 14:34 ` [PATCH 1/7] iscsi-target: Use a variable initialisation in iscsi_set_default_param() directly SF Markus Elfring
2015-12-12 19:49 ` Dan Carpenter
2015-12-12 21:22 ` SF Markus Elfring
2015-12-14 8:41 ` Johannes Thumshirn
2015-12-14 11:38 ` SF Markus Elfring
2015-12-12 14:37 ` [PATCH 2/7] iscsi-target: Less checks in iscsi_set_default_param() after error detection SF Markus Elfring
2015-12-12 14:40 ` [PATCH 3/7] iscsi-target: Delete an unnecessary variable initialisation in iscsi_create_default_params() SF Markus Elfring
2015-12-12 14:41 ` [PATCH 4/7] iscsi-target: Make a variable initialisation a bit more obvious " SF Markus Elfring
2015-12-12 14:45 ` Julia Lawall
2015-12-12 15:02 ` SF Markus Elfring
2015-12-12 14:42 ` [PATCH 5/7] iscsi-target: Rename a jump label " SF Markus Elfring
2015-12-12 14:43 ` [PATCH 6/7] iscsi-target: Delete unnecessary variable initialisations in iscsi_check_valuelist_for_support() SF Markus Elfring
2015-12-12 14:45 ` [PATCH 7/7] iscsi-target: Make two variable initialisations a bit more obvious " SF Markus Elfring
2015-12-12 17:17 ` walter harms
2016-08-18 9:48 ` [PATCH 0/5] block-cciss: Fine-tuning for two function implementations SF Markus Elfring
2016-08-18 9:55 ` [PATCH 1/5] block-cciss: Use memdup_user() rather than duplicating its implementation SF Markus Elfring
2016-08-18 9:56 ` [PATCH 2/5] block-cciss: Less function calls in cciss_bigpassthru() after error detection SF Markus Elfring
2016-08-18 10:00 ` [PATCH 3/5] block-cciss: Delete unnecessary initialisations in cciss_bigpassthru() SF Markus Elfring
2016-08-18 10:02 ` [PATCH 4/5] block-cciss: Move an assignment for the variable "sg_used" " SF Markus Elfring
2016-08-18 10:03 ` [PATCH 5/5] block-cciss: Replace three kzalloc() calls by kcalloc() SF Markus Elfring
2017-08-06 15:00 ` [PATCH 0/5] block-cciss: Fine-tuning for two function implementations SF Markus Elfring
2016-08-21 7:14 ` [PATCH 0/7] aacraid: Fine-tuning for a few functions SF Markus Elfring
2016-08-21 7:19 ` [PATCH 1/7] aacraid: Use memdup_user() rather than duplicating its implementation SF Markus Elfring
2016-08-22 18:00 ` David Carroll
2016-08-22 20:23 ` SF Markus Elfring
2016-08-24 23:01 ` David Carroll
2016-08-21 7:20 ` SF Markus Elfring [this message]
2016-08-21 7:22 ` [PATCH 3/7] aacraid: Delete unnecessary initialisations in aac_send_raw_srb() SF Markus Elfring
2016-08-21 7:24 ` [PATCH 4/7] aacraid: Delete unnecessary braces SF Markus Elfring
2016-08-21 7:25 ` [PATCH 5/7] aacraid: Add spaces after control flow keywords SF Markus Elfring
2016-08-21 7:27 ` [PATCH 6/7] aacraid: Improve determination of a few sizes SF Markus Elfring
2016-08-21 7:29 ` [PATCH 7/7] aacraid: Apply another recommendation from "checkpatch.pl" SF Markus Elfring
2016-08-21 8:48 ` [PATCH] megaraid_sas: Use memdup_user() rather than duplicating its implementation SF Markus Elfring
2016-08-22 9:31 ` Sumit Saxena
2016-08-24 2:47 ` Martin K. Petersen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1e07bef4-1bdd-f2af-b316-6d577c616d99@users.sourceforge.net \
--to=elfring@users.sourceforge.net \
--cc=aacraid@microsemi.com \
--cc=jejb@linux.vnet.ibm.com \
--cc=julia.lawall@lip6.fr \
--cc=kernel-janitors@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=martin.petersen@oracle.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).