Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 98f57c51 authored by Selvan Mani's avatar Selvan Mani Committed by Jens Axboe
Browse files

mtip32xx: Fix accessing freed memory 



In mtip_pci_remove(), driver data 'dd' is accessed after freeing it. This
is a residue of SRSI code cleanup in the patch 016a41c38821 "mtip32xx: fix
crash on surprise removal of the drive". Removed the bit flags
MTIP_DDF_REMOVE_DONE_BIT and MTIP_PF_SR_CLEANUP_BIT.

Reported-by: default avatarJulia Lawall <julia.lawall@lip6.fr>
Signed-off-by: default avatarVignesh Gunasekaran <vgunasekaran@micron.com>
Signed-off-by: default avatarSelvan Mani <smani@micron.com>
Signed-off-by: default avatarAsai Thambi S P <asamymuthupa@micron.com>
Signed-off-by: default avatarJens Axboe <axboe@fb.com>
parent 51ef72bd

drivers/block/mtip32xx/mtip32xx.c

+0 −19
Original line number Diff line number Diff line
@@ -163,12 +163,6 @@ static bool mtip_check_surprise_removal(struct pci_dev *pdev) 
		else

			dev_warn(&dd->pdev->dev,

				"%s: dd->queue is NULL\n", __func__);

		if (dd->port) {

			set_bit(MTIP_PF_SR_CLEANUP_BIT, &dd->port->flags);

			wake_up_interruptible(&dd->port->svc_wait);

		} else

			dev_warn(&dd->pdev->dev,

				"%s: dd->port is NULL\n", __func__);

		return true; /* device removed */

	}
@@ -2938,10 +2932,6 @@ static int mtip_service_thread(void *data) 
			test_bit(MTIP_PF_SVC_THD_STOP_BIT, &port->flags))

			goto st_out;



		/* If I am an orphan, start self cleanup */

		if (test_bit(MTIP_PF_SR_CLEANUP_BIT, &port->flags))

			break;



		if (unlikely(test_bit(MTIP_DDF_REMOVE_PENDING_BIT,

				&dd->dd_flag)))

			goto st_out;
@@ -2995,14 +2985,6 @@ static int mtip_service_thread(void *data) 
		}

	}



	/* wait for pci remove to exit */

	while (1) {

		if (test_bit(MTIP_DDF_REMOVE_DONE_BIT, &dd->dd_flag))

			break;

		msleep_interruptible(1000);

		if (kthread_should_stop())

			goto st_out;

	}

st_out:

	return 0;

}
@@ -4486,7 +4468,6 @@ static void mtip_pci_remove(struct pci_dev *pdev) 
	spin_unlock_irqrestore(&dev_lock, flags);



	kfree(dd);

	set_bit(MTIP_DDF_REMOVE_DONE_BIT, &dd->dd_flag);



	pcim_iounmap_regions(pdev, 1 << MTIP_ABAR);

	pci_set_drvdata(pdev, NULL);

drivers/block/mtip32xx/mtip32xx.h

+0 −2
Original line number Diff line number Diff line
@@ -142,7 +142,6 @@ enum { 
	MTIP_PF_SVC_THD_ACTIVE_BIT  = 4,

	MTIP_PF_ISSUE_CMDS_BIT      = 5,

	MTIP_PF_REBUILD_BIT         = 6,

	MTIP_PF_SR_CLEANUP_BIT      = 7,

	MTIP_PF_SVC_THD_STOP_BIT    = 8,



	/* below are bit numbers in 'dd_flag' defined in driver_data */
@@ -150,7 +149,6 @@ enum { 
	MTIP_DDF_REMOVE_PENDING_BIT = 1,

	MTIP_DDF_OVER_TEMP_BIT      = 2,

	MTIP_DDF_WRITE_PROTECT_BIT  = 3,

	MTIP_DDF_REMOVE_DONE_BIT    = 4,

	MTIP_DDF_CLEANUP_BIT        = 5,

	MTIP_DDF_RESUME_BIT         = 6,

	MTIP_DDF_INIT_DONE_BIT      = 7,