diff options
author | Dan Carpenter <error27@gmail.com> | 2010-03-15 04:26:56 -0400 |
---|---|---|
committer | James Bottomley <James.Bottomley@suse.de> | 2010-04-08 18:26:15 -0400 |
commit | 229bab6bacc42295f13c0434772381a88ce2308b (patch) | |
tree | 739c27a013a8f1661a324dfe84f752d08be4c386 | |
parent | d620a7cf05d4f12f5bbb1060d766e8139ab31458 (diff) |
[SCSI] dpt_i2o: several use after free issues
adpt_i2o_delete_hba() calls kfree() so we have to save "pHba->next"
before calling it. Also inside adpt_i2o_delete_hba() itself, there
was another use after free bug which I fixed by moving the kfree()
down a line.
Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
-rw-r--r-- | drivers/scsi/dpt_i2o.c | 15 |
1 files changed, 9 insertions, 6 deletions
diff --git a/drivers/scsi/dpt_i2o.c b/drivers/scsi/dpt_i2o.c index 496764349c41..0435d044c9da 100644 --- a/drivers/scsi/dpt_i2o.c +++ b/drivers/scsi/dpt_i2o.c | |||
@@ -188,7 +188,8 @@ MODULE_DEVICE_TABLE(pci,dptids); | |||
188 | static int adpt_detect(struct scsi_host_template* sht) | 188 | static int adpt_detect(struct scsi_host_template* sht) |
189 | { | 189 | { |
190 | struct pci_dev *pDev = NULL; | 190 | struct pci_dev *pDev = NULL; |
191 | adpt_hba* pHba; | 191 | adpt_hba *pHba; |
192 | adpt_hba *next; | ||
192 | 193 | ||
193 | PINFO("Detecting Adaptec I2O RAID controllers...\n"); | 194 | PINFO("Detecting Adaptec I2O RAID controllers...\n"); |
194 | 195 | ||
@@ -206,7 +207,8 @@ static int adpt_detect(struct scsi_host_template* sht) | |||
206 | } | 207 | } |
207 | 208 | ||
208 | /* In INIT state, Activate IOPs */ | 209 | /* In INIT state, Activate IOPs */ |
209 | for (pHba = hba_chain; pHba; pHba = pHba->next) { | 210 | for (pHba = hba_chain; pHba; pHba = next) { |
211 | next = pHba->next; | ||
210 | // Activate does get status , init outbound, and get hrt | 212 | // Activate does get status , init outbound, and get hrt |
211 | if (adpt_i2o_activate_hba(pHba) < 0) { | 213 | if (adpt_i2o_activate_hba(pHba) < 0) { |
212 | adpt_i2o_delete_hba(pHba); | 214 | adpt_i2o_delete_hba(pHba); |
@@ -243,7 +245,8 @@ rebuild_sys_tab: | |||
243 | PDEBUG("HBA's in OPERATIONAL state\n"); | 245 | PDEBUG("HBA's in OPERATIONAL state\n"); |
244 | 246 | ||
245 | printk("dpti: If you have a lot of devices this could take a few minutes.\n"); | 247 | printk("dpti: If you have a lot of devices this could take a few minutes.\n"); |
246 | for (pHba = hba_chain; pHba; pHba = pHba->next) { | 248 | for (pHba = hba_chain; pHba; pHba = next) { |
249 | next = pHba->next; | ||
247 | printk(KERN_INFO"%s: Reading the hardware resource table.\n", pHba->name); | 250 | printk(KERN_INFO"%s: Reading the hardware resource table.\n", pHba->name); |
248 | if (adpt_i2o_lct_get(pHba) < 0){ | 251 | if (adpt_i2o_lct_get(pHba) < 0){ |
249 | adpt_i2o_delete_hba(pHba); | 252 | adpt_i2o_delete_hba(pHba); |
@@ -263,7 +266,8 @@ rebuild_sys_tab: | |||
263 | adpt_sysfs_class = NULL; | 266 | adpt_sysfs_class = NULL; |
264 | } | 267 | } |
265 | 268 | ||
266 | for (pHba = hba_chain; pHba; pHba = pHba->next) { | 269 | for (pHba = hba_chain; pHba; pHba = next) { |
270 | next = pHba->next; | ||
267 | if (adpt_scsi_host_alloc(pHba, sht) < 0){ | 271 | if (adpt_scsi_host_alloc(pHba, sht) < 0){ |
268 | adpt_i2o_delete_hba(pHba); | 272 | adpt_i2o_delete_hba(pHba); |
269 | continue; | 273 | continue; |
@@ -1229,11 +1233,10 @@ static void adpt_i2o_delete_hba(adpt_hba* pHba) | |||
1229 | } | 1233 | } |
1230 | } | 1234 | } |
1231 | pci_dev_put(pHba->pDev); | 1235 | pci_dev_put(pHba->pDev); |
1232 | kfree(pHba); | ||
1233 | |||
1234 | if (adpt_sysfs_class) | 1236 | if (adpt_sysfs_class) |
1235 | device_destroy(adpt_sysfs_class, | 1237 | device_destroy(adpt_sysfs_class, |
1236 | MKDEV(DPTI_I2O_MAJOR, pHba->unit)); | 1238 | MKDEV(DPTI_I2O_MAJOR, pHba->unit)); |
1239 | kfree(pHba); | ||
1237 | 1240 | ||
1238 | if(hba_count <= 0){ | 1241 | if(hba_count <= 0){ |
1239 | unregister_chrdev(DPTI_I2O_MAJOR, DPT_DRIVER); | 1242 | unregister_chrdev(DPTI_I2O_MAJOR, DPT_DRIVER); |