Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 70288b4c authored by wenxiong@linux.vnet.ibm.com's avatar wenxiong@linux.vnet.ibm.com Committed by James Bottomley
Browse files

[SCSI] ipr: Avoid target_destroy accessing memory after it was freed 



Defined target_ids,array_ids and vsets_ids as unsigned long to avoid
target_destroy accessing memory after it was freed.

Signed-off-by: default avatarWen Xiong <wenxiong@linux.vnet.ibm.com>
Signed-off-by: default avatarJames Bottomley <JBottomley@Parallels.com>
parent 1642e662

drivers/scsi/ipr.c

+0 −16
Original line number Original line Diff line number Diff line
@@ -8980,19 +8980,6 @@ static int ipr_alloc_mem(struct ipr_ioa_cfg *ioa_cfg) 
	if (!ioa_cfg->res_entries)

	if (!ioa_cfg->res_entries)

		goto out;

		goto out;





	if (ioa_cfg->sis64) {

		ioa_cfg->target_ids = kzalloc(sizeof(unsigned long) *

					      BITS_TO_LONGS(ioa_cfg->max_devs_supported), GFP_KERNEL);

		ioa_cfg->array_ids = kzalloc(sizeof(unsigned long) *

					     BITS_TO_LONGS(ioa_cfg->max_devs_supported), GFP_KERNEL);

		ioa_cfg->vset_ids = kzalloc(sizeof(unsigned long) *

					    BITS_TO_LONGS(ioa_cfg->max_devs_supported), GFP_KERNEL);



		if (!ioa_cfg->target_ids || !ioa_cfg->array_ids

			|| !ioa_cfg->vset_ids)

			goto out_free_res_entries;

	}



	for (i = 0; i < ioa_cfg->max_devs_supported; i++) {

	for (i = 0; i < ioa_cfg->max_devs_supported; i++) {

		list_add_tail(&ioa_cfg->res_entries[i].queue, &ioa_cfg->free_res_q);

		list_add_tail(&ioa_cfg->res_entries[i].queue, &ioa_cfg->free_res_q);

		ioa_cfg->res_entries[i].ioa_cfg = ioa_cfg;

		ioa_cfg->res_entries[i].ioa_cfg = ioa_cfg;
@@ -9089,9 +9076,6 @@ static int ipr_alloc_mem(struct ipr_ioa_cfg *ioa_cfg) 
			    ioa_cfg->vpd_cbs, ioa_cfg->vpd_cbs_dma);

			    ioa_cfg->vpd_cbs, ioa_cfg->vpd_cbs_dma);

out_free_res_entries:

out_free_res_entries:

	kfree(ioa_cfg->res_entries);

	kfree(ioa_cfg->res_entries);

	kfree(ioa_cfg->target_ids);

	kfree(ioa_cfg->array_ids);

	kfree(ioa_cfg->vset_ids);

	goto out;

	goto out;

}

}

drivers/scsi/ipr.h

+3 −3
Original line number Original line Diff line number Diff line
@@ -1440,9 +1440,9 @@ struct ipr_ioa_cfg { 
	/*

	/*

	 * Bitmaps for SIS64 generated target values

	 * Bitmaps for SIS64 generated target values

	 */

	 */

	unsigned long *target_ids;

	unsigned long target_ids[BITS_TO_LONGS(IPR_MAX_SIS64_DEVS)];

	unsigned long *array_ids;

	unsigned long array_ids[BITS_TO_LONGS(IPR_MAX_SIS64_DEVS)];

	unsigned long *vset_ids;

	unsigned long vset_ids[BITS_TO_LONGS(IPR_MAX_SIS64_DEVS)];





	u16 type; /* CCIN of the card */

	u16 type; /* CCIN of the card */