* [patch] [SCSI] mpt3sas: move dereference under check
@ 2013-03-11 11:40 Dan Carpenter
[not found] ` <DCD177647606E9419ED923E0C8C4AA7223E78BBBA3@inbmail02.lsi.com>
0 siblings, 1 reply; 2+ messages in thread
From: Dan Carpenter @ 2013-03-11 11:40 UTC (permalink / raw)
To: Nagalakshmi Nandigama
Cc: Sreekanth Reddy, support, James E.J. Bottomley, DL-MPTFusionLinux,
linux-scsi, linux-kernel, kernel-janitors
pci_pool_free() dereferences "ioc->sense_dma_pool" but we check it
for NULL on the following line.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/drivers/scsi/mpt3sas/mpt3sas_base.c b/drivers/scsi/mpt3sas/mpt3sas_base.c
index 1836003..06a84ef 100644
--- a/drivers/scsi/mpt3sas/mpt3sas_base.c
+++ b/drivers/scsi/mpt3sas/mpt3sas_base.c
@@ -2479,9 +2479,11 @@ _base_release_memory_pools(struct MPT3SAS_ADAPTER *ioc)
}
if (ioc->sense) {
- pci_pool_free(ioc->sense_dma_pool, ioc->sense, ioc->sense_dma);
- if (ioc->sense_dma_pool)
+ if (ioc->sense_dma_pool) {
+ pci_pool_free(ioc->sense_dma_pool, ioc->sense,
+ ioc->sense_dma);
pci_pool_destroy(ioc->sense_dma_pool);
+ }
dexitprintk(ioc, pr_info(MPT3SAS_FMT
"sense_pool(0x%p): free\n",
ioc->name, ioc->sense));
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [patch] [SCSI] mpt3sas: move dereference under check
[not found] ` <DCD177647606E9419ED923E0C8C4AA7223E78BBBA3@inbmail02.lsi.com>
@ 2013-03-14 14:34 ` Dan Carpenter
0 siblings, 0 replies; 2+ messages in thread
From: Dan Carpenter @ 2013-03-14 14:34 UTC (permalink / raw)
To: Reddy, Sreekanth; +Cc: linux-scsi
On Thu, Mar 14, 2013 at 06:52:35PM +0530, Reddy, Sreekanth wrote:
> Hi Dan Carpenter,
>
> While analyzing this patch, I have added some debugging prints to
> print the address referenced by the IOC->sense_dma_pool before and
> after pci_pool_free() API and I have observed that the address
> referenced by this pointer is same before and after calling
> pci_pool_free() API. Please let me know if you have any case
> where you have seen ioc->sense_dma_pool is dereferenced after
> calling pci_pool_free API.
>
> And we are checking this ioc->sense_dma_pool pointer to NULL value
> for safe side even it is not assigned to NULL value anywhere in
> the driver code.
Thanks for looking at this.
I hope you don't mind, but I've added linux-scsi back to the CC.
This is a static checker which is complaining that the code is not
checking for NULL consistently. If "ioc->sense_dma_pool" is NULL
then we will crash inside pci_pool_free(). The NULL dereference is
on the line where we do:
mm/dmapool.c
391 void dma_pool_free(struct dma_pool *pool, void *vaddr, dma_addr_t dma)
392 {
393 struct dma_page *page;
394 unsigned long flags;
395 unsigned int offset;
396
397 spin_lock_irqsave(&pool->lock, flags);
^^^^^^^^^^^
This dereference will cause a crash because we call pci_pool_free()
without testing for NULL.
398 page = pool_find_page(pool, dma);
In other words:
drivers/scsi/mpt3sas/mpt3sas_base.c
2481 if (ioc->sense) {
2482 pci_pool_free(ioc->sense_dma_pool, ioc->sense, ioc->sense_dma);
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
We crash on this line before we reach the NULL test on the next
line.
2483 if (ioc->sense_dma_pool)
2484 pci_pool_destroy(ioc->sense_dma_pool);
I've looked at the code, and you're right that if (ioc->sense) {
is non-NULL that means ->sense_dma_pool is non-NULL. ioc->sense is
allocated from the DMA pool.
I would like to just remove the test and silence the warning
message.
regards,
dan carpenter
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2013-03-14 14:34 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-03-11 11:40 [patch] [SCSI] mpt3sas: move dereference under check Dan Carpenter
[not found] ` <DCD177647606E9419ED923E0C8C4AA7223E78BBBA3@inbmail02.lsi.com>
2013-03-14 14:34 ` Dan Carpenter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox