mtip32xx: Fix accessing freed memory

In mtip_pci_remove(), driver data 'dd' is accessed after freeing it. This is a residue of SRSI code cleanup in the patch 016a41c38821 "mtip32xx: fix crash on surprise removal of the drive". Removed the bit flags MTIP_DDF_REMOVE_DONE_BIT and MTIP_PF_SR_CLEANUP_BIT. Reported-by: Julia Lawall <julia.lawall@lip6.fr> Signed-off-by: Vignesh Gunasekaran <vgunasekaran@micron.com> Signed-off-by: Selvan Mani <smani@micron.com> Signed-off-by: Asai Thambi S P <asamymuthupa@micron.com> Signed-off-by: Jens Axboe <axboe@fb.com>
author: Selvan Mani <smani@micron.com> 2015-06-24 10:48:46 -0400
committer: Jens Axboe <axboe@fb.com> 2015-06-24 10:48:46 -0400
commit: 98f57c5196f7a1f681246858f5860c1120d01ca9 (patch)
tree: 1bda5604571185810e22be1258890d9664bff43a /drivers/block
parent: 51ef72bda70841fddd595142ed0e7e0fc571c500 (diff)
2 files changed, 0 insertions, 21 deletions
diff --git a/drivers/block/mtip32xx/mtip32xx.c b/drivers/block/mtip32xx/mtip32xx.c
index 144e7d97b647..4a2ef09e6704 100644
--- a/drivers/block/mtip32xx/mtip32xx.c
+++ b/drivers/block/mtip32xx/mtip32xx.c
@@ -163,12 +163,6 @@ static bool mtip_check_surprise_removal(struct pci_dev *pdev)
                else
                        dev_warn(&dd->pdev->dev,
                                "%s: dd->queue is NULL\n", __func__);
-                if (dd->port) {
-                        set_bit(MTIP_PF_SR_CLEANUP_BIT, &dd->port->flags);
-                        wake_up_interruptible(&dd->port->svc_wait);
-                } else
-                        dev_warn(&dd->pdev->dev,
-                                "%s: dd->port is NULL\n", __func__);
                return true; /* device removed */
        }
@@ -2938,10 +2932,6 @@ static int mtip_service_thread(void *data)
                        test_bit(MTIP_PF_SVC_THD_STOP_BIT, &port->flags))
                        goto st_out;
-                /* If I am an orphan, start self cleanup */
-                if (test_bit(MTIP_PF_SR_CLEANUP_BIT, &port->flags))
-                        break;
                if (unlikely(test_bit(MTIP_DDF_REMOVE_PENDING_BIT,
                                &dd->dd_flag)))
                        goto st_out;
@@ -2995,14 +2985,6 @@ restart_eh:
                }
        }
-        /* wait for pci remove to exit */
-        while (1) {
-                if (test_bit(MTIP_DDF_REMOVE_DONE_BIT, &dd->dd_flag))
-                        break;
-                msleep_interruptible(1000);
-                if (kthread_should_stop())
-                        goto st_out;
-        }
 st_out:
        return 0;
 }
@@ -4486,7 +4468,6 @@ static void mtip_pci_remove(struct pci_dev *pdev)
        spin_unlock_irqrestore(&dev_lock, flags);
        kfree(dd);
-        set_bit(MTIP_DDF_REMOVE_DONE_BIT, &dd->dd_flag);
        pcim_iounmap_regions(pdev, 1 << MTIP_ABAR);
        pci_set_drvdata(pdev, NULL);
diff --git a/drivers/block/mtip32xx/mtip32xx.h b/drivers/block/mtip32xx/mtip32xx.h
index d7a545974c78..3274784008eb 100644
--- a/drivers/block/mtip32xx/mtip32xx.h
+++ b/drivers/block/mtip32xx/mtip32xx.h
@@ -142,7 +142,6 @@ enum {
        MTIP_PF_SVC_THD_ACTIVE_BIT  = 4,
        MTIP_PF_ISSUE_CMDS_BIT      = 5,
        MTIP_PF_REBUILD_BIT         = 6,
-        MTIP_PF_SR_CLEANUP_BIT      = 7,
        MTIP_PF_SVC_THD_STOP_BIT    = 8,
        /* below are bit numbers in 'dd_flag' defined in driver_data */
@@ -150,7 +149,6 @@ enum {
        MTIP_DDF_REMOVE_PENDING_BIT = 1,
        MTIP_DDF_OVER_TEMP_BIT      = 2,
        MTIP_DDF_WRITE_PROTECT_BIT  = 3,
-        MTIP_DDF_REMOVE_DONE_BIT    = 4,
        MTIP_DDF_CLEANUP_BIT        = 5,
        MTIP_DDF_RESUME_BIT         = 6,
        MTIP_DDF_INIT_DONE_BIT      = 7,
author	Selvan Mani <smani@micron.com>	2015-06-24 10:48:46 -0400
committer	Jens Axboe <axboe@fb.com>	2015-06-24 10:48:46 -0400
commit	98f57c5196f7a1f681246858f5860c1120d01ca9 (patch)
tree	1bda5604571185810e22be1258890d9664bff43a /drivers/block
parent	51ef72bda70841fddd595142ed0e7e0fc571c500 (diff)