Commit 229bab6bacc42295f13c0434772381a88ce2308b
Committed by
James Bottomley
James Bottomley
1 parent
d620a7cf05
Exists in
master
and in
7 other branches
[SCSI] dpt_i2o: several use after free issues
adpt_i2o_delete_hba() calls kfree() so we have to save "pHba->next" before calling it. Also inside adpt_i2o_delete_hba() itself, there was another use after free bug which I fixed by moving the kfree() down a line. Signed-off-by: Dan Carpenter <error27@gmail.com> Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Showing 1 changed file with 9 additions and 6 deletions Side-by-side Diff
drivers/scsi/dpt_i2o.c
| ... | ... | @@ -188,7 +188,8 @@ |
| 188 | 188 | static int adpt_detect(struct scsi_host_template* sht) |
| 189 | 189 | { |
| 190 | 190 | struct pci_dev *pDev = NULL; |
| 191 | - adpt_hba* pHba; | |
| 191 | + adpt_hba *pHba; | |
| 192 | + adpt_hba *next; | |
| 192 | 193 | |
| 193 | 194 | PINFO("Detecting Adaptec I2O RAID controllers...\n"); |
| 194 | 195 | |
| ... | ... | @@ -206,7 +207,8 @@ |
| 206 | 207 | } |
| 207 | 208 | |
| 208 | 209 | /* In INIT state, Activate IOPs */ |
| 209 | - for (pHba = hba_chain; pHba; pHba = pHba->next) { | |
| 210 | + for (pHba = hba_chain; pHba; pHba = next) { | |
| 211 | + next = pHba->next; | |
| 210 | 212 | // Activate does get status , init outbound, and get hrt |
| 211 | 213 | if (adpt_i2o_activate_hba(pHba) < 0) { |
| 212 | 214 | adpt_i2o_delete_hba(pHba); |
| ... | ... | @@ -243,7 +245,8 @@ |
| 243 | 245 | PDEBUG("HBA's in OPERATIONAL state\n"); |
| 244 | 246 | |
| 245 | 247 | printk("dpti: If you have a lot of devices this could take a few minutes.\n"); |
| 246 | - for (pHba = hba_chain; pHba; pHba = pHba->next) { | |
| 248 | + for (pHba = hba_chain; pHba; pHba = next) { | |
| 249 | + next = pHba->next; | |
| 247 | 250 | printk(KERN_INFO"%s: Reading the hardware resource table.\n", pHba->name); |
| 248 | 251 | if (adpt_i2o_lct_get(pHba) < 0){ |
| 249 | 252 | adpt_i2o_delete_hba(pHba); |
| ... | ... | @@ -263,7 +266,8 @@ |
| 263 | 266 | adpt_sysfs_class = NULL; |
| 264 | 267 | } |
| 265 | 268 | |
| 266 | - for (pHba = hba_chain; pHba; pHba = pHba->next) { | |
| 269 | + for (pHba = hba_chain; pHba; pHba = next) { | |
| 270 | + next = pHba->next; | |
| 267 | 271 | if (adpt_scsi_host_alloc(pHba, sht) < 0){ |
| 268 | 272 | adpt_i2o_delete_hba(pHba); |
| 269 | 273 | continue; |
| 270 | 274 | |
| ... | ... | @@ -1229,11 +1233,10 @@ |
| 1229 | 1233 | } |
| 1230 | 1234 | } |
| 1231 | 1235 | pci_dev_put(pHba->pDev); |
| 1232 | - kfree(pHba); | |
| 1233 | - | |
| 1234 | 1236 | if (adpt_sysfs_class) |
| 1235 | 1237 | device_destroy(adpt_sysfs_class, |
| 1236 | 1238 | MKDEV(DPTI_I2O_MAJOR, pHba->unit)); |
| 1239 | + kfree(pHba); | |
| 1237 | 1240 | |
| 1238 | 1241 | if(hba_count <= 0){ |
| 1239 | 1242 | unregister_chrdev(DPTI_I2O_MAJOR, DPT_DRIVER); |