In the original code if dma_pool_alloc() fails then we call
dma_pool_free(). The problem is that "chap_table" is NULL and
"chap_dma" is uninitialized so it will cause an error.
Signed-off-by: Dan Carpenter <[email protected]>
diff --git a/drivers/scsi/qla4xxx/ql4_mbx.c b/drivers/scsi/qla4xxx/ql4_mbx.c
index 7ac21da..21dce92 100644
--- a/drivers/scsi/qla4xxx/ql4_mbx.c
+++ b/drivers/scsi/qla4xxx/ql4_mbx.c
@@ -1329,10 +1329,8 @@ int qla4xxx_get_chap(struct scsi_qla_host *ha, char *username, char *password,
dma_addr_t chap_dma;
chap_table = dma_pool_alloc(ha->chap_dma_pool, GFP_KERNEL, &chap_dma);
- if (chap_table == NULL) {
- ret = -ENOMEM;
- goto exit_get_chap;
- }
+ if (chap_table == NULL)
+ return -ENOMEM;
chap_size = sizeof(struct ql4_chap_table);
memset(chap_table, 0, chap_size);
In the original code, if dma_pool_alloc() fails then we call
dma_pool_free(). It causes an error, possibly a NULL dereference.
Signed-off-by: Dan Carpenter <[email protected]>
diff --git a/drivers/scsi/qla2xxx/qla_iocb.c b/drivers/scsi/qla2xxx/qla_iocb.c
index c17975d..44380d3 100644
--- a/drivers/scsi/qla2xxx/qla_iocb.c
+++ b/drivers/scsi/qla2xxx/qla_iocb.c
@@ -2386,7 +2386,7 @@ sufficient_dsds:
if (!ctx->fcp_cmnd) {
ql_log(ql_log_fatal, vha, 0x3011,
"Failed to allocate fcp_cmnd for cmd=%p.\n", cmd);
- goto queuing_error_fcp_cmnd;
+ goto queuing_error;
}
/* Initialize the DSD list and dma handle */
On 05/17/2012 02:11 AM, Dan Carpenter wrote:
> In the original code if dma_pool_alloc() fails then we call
> dma_pool_free(). The problem is that "chap_table" is NULL and
> "chap_dma" is uninitialized so it will cause an error.
>
> Signed-off-by: Dan Carpenter <[email protected]>
>
> diff --git a/drivers/scsi/qla4xxx/ql4_mbx.c b/drivers/scsi/qla4xxx/ql4_mbx.c
> index 7ac21da..21dce92 100644
> --- a/drivers/scsi/qla4xxx/ql4_mbx.c
> +++ b/drivers/scsi/qla4xxx/ql4_mbx.c
> @@ -1329,10 +1329,8 @@ int qla4xxx_get_chap(struct scsi_qla_host *ha, char *username, char *password,
> dma_addr_t chap_dma;
>
> chap_table = dma_pool_alloc(ha->chap_dma_pool, GFP_KERNEL, &chap_dma);
> - if (chap_table == NULL) {
> - ret = -ENOMEM;
> - goto exit_get_chap;
> - }
> + if (chap_table == NULL)
> + return -ENOMEM;
>
> chap_size = sizeof(struct ql4_chap_table);
> memset(chap_table, 0, chap_size);
I thought dma_pool_free checked the vaddr/chap_table like how kfree
checks for nulls. You are right. Looks ok to me.
Reviewed-by: Mike Christie <[email protected]>
On Thu, 17 May 2012, Dan Carpenter wrote:
> In the original code, if dma_pool_alloc() fails then we call
> dma_pool_free(). It causes an error, possibly a NULL dereference.
>
> Signed-off-by: Dan Carpenter <[email protected]>
>
> diff --git a/drivers/scsi/qla2xxx/qla_iocb.c b/drivers/scsi/qla2xxx/qla_iocb.c
> index c17975d..44380d3 100644
> --- a/drivers/scsi/qla2xxx/qla_iocb.c
> +++ b/drivers/scsi/qla2xxx/qla_iocb.c
> @@ -2386,7 +2386,7 @@ sufficient_dsds:
> if (!ctx->fcp_cmnd) {
> ql_log(ql_log_fatal, vha, 0x3011,
> "Failed to allocate fcp_cmnd for cmd=%p.\n", cmd);
> - goto queuing_error_fcp_cmnd;
> + goto queuing_error;
> }
>
> /* Initialize the DSD list and dma handle */
> --
> To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
>
Thanks for the patch.
Acked-by: Chad Dupuis <[email protected]>
This message and any attached documents contain information from QLogic Corporation or its wholly-owned subsidiaries that may be confidential. If you are not the intended recipient, you may not read, copy, distribute, or use this information. If you have received this transmission in error, please notify the sender immediately by reply e-mail and then delete this message.