We are dereferencing ioc->sense_dma_pool in pci_pool_free() and after
that we are checking if it is NULL, before calling pci_pool_destroy().
Lets check if it is NULL before calling both pci_pool_free() and
pci_pool_destroy().
Signed-off-by: Sudip Mukherjee <[email protected]>
---
drivers/scsi/mpt3sas/mpt3sas_base.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/scsi/mpt3sas/mpt3sas_base.c b/drivers/scsi/mpt3sas/mpt3sas_base.c
index 8c44b9c..778c2ec 100644
--- a/drivers/scsi/mpt3sas/mpt3sas_base.c
+++ b/drivers/scsi/mpt3sas/mpt3sas_base.c
@@ -3087,9 +3087,11 @@ _base_release_memory_pools(struct MPT3SAS_ADAPTER *ioc)
}
if (ioc->sense) {
- pci_pool_free(ioc->sense_dma_pool, ioc->sense, ioc->sense_dma);
- if (ioc->sense_dma_pool)
+ if (ioc->sense_dma_pool) {
+ pci_pool_free(ioc->sense_dma_pool, ioc->sense,
+ ioc->sense_dma);
pci_pool_destroy(ioc->sense_dma_pool);
+ }
dexitprintk(ioc, pr_info(MPT3SAS_FMT
"sense_pool(0x%p): free\n",
ioc->name, ioc->sense));
--
1.9.1
>>>>> "Sudip" == Sudip Mukherjee <[email protected]> writes:
Sudip> We are dereferencing ioc->sense_dma_pool in pci_pool_free() and
Sudip> after that we are checking if it is NULL, before calling
Sudip> pci_pool_destroy(). Lets check if it is NULL before calling both
Sudip> pci_pool_free() and pci_pool_destroy().
Broadcom folks, please review.
--
Martin K. Petersen Oracle Linux Engineering
We need to do some more changes in this. The concept is first pool alloc
and then memory alloc in the pool, so the memory has to be freed if the
memory is allocated in the pool and irrespective of memory allocated or
not the pool has to be destroyed if it is created. We will work
internally and provide a complete patch.
Thanks
Sathya
-----Original Message-----
From: Martin K. Petersen [mailto:[email protected]]
Sent: Thursday, April 14, 2016 8:44 PM
To: Sudip Mukherjee
Cc: Sathya Prakash; Chaitra P B; Suganath Prabu Subramani; James E.J.
Bottomley; Martin K. Petersen; [email protected];
[email protected]; [email protected]
Subject: Re: [PATCH] mpt3sas: fix possible NULL dereference
>>>>> "Sudip" == Sudip Mukherjee <[email protected]> writes:
Sudip> We are dereferencing ioc->sense_dma_pool in pci_pool_free() and
Sudip> after that we are checking if it is NULL, before calling
Sudip> pci_pool_destroy(). Lets check if it is NULL before calling both
Sudip> pci_pool_free() and pci_pool_destroy().
Broadcom folks, please review.
--
Martin K. Petersen Oracle Linux Engineering