[PATCH 1/2] qla2xxx: Fix use after free in qla2x000_process

linux-scsi.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH 1/2] qla2xxx: Fix use after free in qla2x000_process_loopback.
       [not found] <1344959335-10845-1-git-send-email-y>
@ 2012-08-14 15:48 ` steve
  2012-08-14 15:48 ` [PATCH 2/2] qla2xxx: Free rsp_data even on error in qla2x00_process_loopback() steve
  1 sibling, 0 replies; 2+ messages in thread
From: steve @ 2012-08-14 15:48 UTC (permalink / raw)
  To: linux-scsi, linux-driver, Andrew Vasquez, James E.J. Bottomley
  Cc: Steve Hodgson

From: Steve Hodgson <steve@purestorage.com>

Don't touch fc_bsg_job after calling job_done() which completes the bio
freeing the memory. Whilst here fix a few other intsances of this error.

Signed-off-by: Steve Hodgson <steve@purestorage.com>
---
 drivers/scsi/qla2xxx/qla_bsg.c |    8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/scsi/qla2xxx/qla_bsg.c b/drivers/scsi/qla2xxx/qla_bsg.c
index c688838..765be8e 100644
--- a/drivers/scsi/qla2xxx/qla_bsg.c
+++ b/drivers/scsi/qla2xxx/qla_bsg.c
@@ -827,7 +827,6 @@ qla2x00_process_loopback(struct fc_bsg_job *bsg_job)
 			bsg_job->reply_payload.sg_cnt, rsp_data,
 			rsp_data_len);
 	}
-	bsg_job->job_done(bsg_job);
 
 	dma_free_coherent(&ha->pdev->dev, rsp_data_len,
 		rsp_data, rsp_data_dma);
@@ -842,6 +841,7 @@ done_unmap_req_sg:
 	dma_unmap_sg(&ha->pdev->dev,
 	    bsg_job->request_payload.sg_list,
 	    bsg_job->request_payload.sg_cnt, DMA_TO_DEVICE);
+	bsg_job->job_done(bsg_job);
 	return rval;
 }
 
@@ -975,7 +975,6 @@ qla84xx_updatefw(struct fc_bsg_job *bsg_job)
 		bsg_job->reply->result = DID_OK;
 	}
 
-	bsg_job->job_done(bsg_job);
 	dma_pool_free(ha->s_dma_pool, mn, mn_dma);
 
 done_free_fw_buf:
@@ -985,6 +984,7 @@ done_unmap_sg:
 	dma_unmap_sg(&ha->pdev->dev, bsg_job->request_payload.sg_list,
 		bsg_job->request_payload.sg_cnt, DMA_TO_DEVICE);
 
+	bsg_job->job_done(bsg_job);
 	return rval;
 }
 
@@ -1173,8 +1173,6 @@ qla84xx_mgmt_cmd(struct fc_bsg_job *bsg_job)
 		}
 	}
 
-	bsg_job->job_done(bsg_job);
-
 done_unmap_sg:
 	if (mgmt_b)
 		dma_free_coherent(&ha->pdev->dev, data_len, mgmt_b, mgmt_dma);
@@ -1189,6 +1187,8 @@ done_unmap_sg:
 exit_mgmt:
 	dma_pool_free(ha->s_dma_pool, mn, mn_dma);
 
+	bsg_job->job_done(bsg_job);
+
 	return rval;
 }
 
-- 
1.7.9.5


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* [PATCH 2/2] qla2xxx: Free rsp_data even on error in qla2x00_process_loopback()
       [not found] <1344959335-10845-1-git-send-email-y>
  2012-08-14 15:48 ` [PATCH 1/2] qla2xxx: Fix use after free in qla2x000_process_loopback steve
@ 2012-08-14 15:48 ` steve
  1 sibling, 0 replies; 2+ messages in thread
From: steve @ 2012-08-14 15:48 UTC (permalink / raw)
  To: linux-scsi, linux-driver, Andrew Vasquez, James E.J. Bottomley
  Cc: Steve Hodgson

From: Steve Hodgson <steve@purestorage.com>

Signed-off-by: Steve Hodgson <steve@purestorage.com>
---
 drivers/scsi/qla2xxx/qla_bsg.c |    9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/drivers/scsi/qla2xxx/qla_bsg.c b/drivers/scsi/qla2xxx/qla_bsg.c
index 765be8e..f465c3e 100644
--- a/drivers/scsi/qla2xxx/qla_bsg.c
+++ b/drivers/scsi/qla2xxx/qla_bsg.c
@@ -726,7 +726,7 @@ qla2x00_process_loopback(struct fc_bsg_job *bsg_job)
 				    "Get port config failed.\n");
 				bsg_job->reply->result = (DID_ERROR << 16);
 				rval = -EPERM;
-				goto done_free_dma_req;
+				goto done_free_dma_rsp;
 			}
 
 			if (elreq.options != EXTERNAL_LOOPBACK) {
@@ -740,7 +740,7 @@ qla2x00_process_loopback(struct fc_bsg_job *bsg_job)
 					bsg_job->reply->result =
 						(DID_ERROR << 16);
 					rval = -EPERM;
-					goto done_free_dma_req;
+					goto done_free_dma_rsp;
 				}
 			} else {
 				/* For external loopback to work
@@ -751,7 +751,7 @@ qla2x00_process_loopback(struct fc_bsg_job *bsg_job)
 					bsg_job->reply->result =
 						(DID_ERROR << 16);
 					rval = -EPERM;
-					goto done_free_dma_req;
+					goto done_free_dma_rsp;
 				}
 			}
 
@@ -786,7 +786,7 @@ qla2x00_process_loopback(struct fc_bsg_job *bsg_job)
 
 				bsg_job->reply->result = (DID_ERROR << 16);
 				rval = -EIO;
-				goto done_free_dma_req;
+				goto done_free_dma_rsp;
 			}
 		} else {
 			type = "FC_BSG_HST_VENDOR_LOOPBACK";
@@ -828,6 +828,7 @@ qla2x00_process_loopback(struct fc_bsg_job *bsg_job)
 			rsp_data_len);
 	}
 
+done_free_dma_rsp:
 	dma_free_coherent(&ha->pdev->dev, rsp_data_len,
 		rsp_data, rsp_data_dma);
 done_free_dma_req:
-- 
1.7.9.5


^ permalink raw reply related	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2012-08-14 15:55 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <1344959335-10845-1-git-send-email-y>
2012-08-14 15:48 ` [PATCH 1/2] qla2xxx: Fix use after free in qla2x000_process_loopback steve
2012-08-14 15:48 ` [PATCH 2/2] qla2xxx: Free rsp_data even on error in qla2x00_process_loopback() steve

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).