| Message ID | 20230422101626.1722235-1-meetlpz@hust.edu.cn |
|---|---|
| State | New |
| Headers | show |
| Series | scsi: qedi: qedi_main.c: modify the code flow in 'qedi_alloc_global_queues' | expand |
> -----Original Message----- > From: Peizhi Li <meetlpz@hust.edu.cn> > Sent: Saturday, April 22, 2023 3:46 PM > To: Nilesh Javali <njavali@marvell.com>; Manish Rangankar > <mrangankar@marvell.com>; GR-QLogic-Storage-Upstream <GR-QLogic- > Storage-Upstream@marvell.com>; James E.J. Bottomley > <jejb@linux.ibm.com>; Martin K. Petersen <martin.petersen@oracle.com> > Cc: hust-os-kernel-patches@googlegroups.com; Peizhi Li > <meetlpz@hust.edu.cn>; Dongliang Mu <dzm91@hust.edu.cn>; Dan > Carpenter <dan.carpenter@linaro.org>; linux-scsi@vger.kernel.org; linux- > kernel@vger.kernel.org > Subject: [EXT] [PATCH] scsi: qedi: qedi_main.c: modify the code flow in > 'qedi_alloc_global_queues' > > External Email > > ---------------------------------------------------------------------- > When goto the mem_alloc_failure, it will result in a null pointer reference to > variable 'gl' in function 'qedi_free_global_queues', due to the 'qedi- > >global_queues' not being allocated. > > Fix this by returning -EINVAL directly. > > Signed-off-by: Peizhi Li <meetlpz@hust.edu.cn> > Reviewed-by: Dongliang Mu <dzm91@hust.edu.cn> > Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org> > --- > The issue is found by static analysis and remains untested. Meanwhile, this > patches is similar with qedf which Jinhong Zhu fixed already. > > https://urldefense.proofpoint.com/v2/url?u=https- > 3A__lore.kernel.org_all_20230417135518.184595-2D1-2Djinhongzhu- > 40hust.edu.cn_&d=DwIDAg&c=nKjWec2b6R0mOyPaz7xtfQ&r=At6ko6G2bm > E5NMB-6KMSliwRneAzZrOmmK21YHGCrqw&m=5ieD0l90bssMZBp8xnyd- > eE3D1n_4P8CQfuaR8BW1hauGGhRlK891lfcT4e- > UAyo&s=DshVk_3xiEVzwIyxpk90ObNr4U4lx6daDaS3uuN6t6g&e= > drivers/scsi/qedi/qedi_main.c | 3 +-- > 1 file changed, 1 insertion(+), 2 deletions(-) > > diff --git a/drivers/scsi/qedi/qedi_main.c b/drivers/scsi/qedi/qedi_main.c > index f2ee49756df8..34f38e0f1c7d 100644 > --- a/drivers/scsi/qedi/qedi_main.c > +++ b/drivers/scsi/qedi/qedi_main.c > @@ -1637,8 +1637,7 @@ static int qedi_alloc_global_queues(struct qedi_ctx > *qedi) > * addresses of our queues > */ > if (!qedi->p_cpuq) { > - status = -EINVAL; > - goto mem_alloc_failure; > + return -EINVAL; > } > > qedi->global_queues = kzalloc((sizeof(struct global_queue *) * > -- > 2.25.1 Thanks, Acked-by: Manish Rangankar <mrangankar@marvell.com>
On 4/22/23 5:16 AM, Peizhi Li wrote: > When goto the mem_alloc_failure, it will result in a null pointer > reference to variable 'gl' in function 'qedi_free_global_queues', > due to the 'qedi->global_queues' not being allocated. > > Fix this by returning -EINVAL directly. > > Signed-off-by: Peizhi Li <meetlpz@hust.edu.cn> > Reviewed-by: Dongliang Mu <dzm91@hust.edu.cn> > Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org> > --- > The issue is found by static analysis and remains untested. Meanwhile, > this patches is similar with qedf which Jinhong Zhu fixed already. > > https://lore.kernel.org/all/20230417135518.184595-1-jinhongzhu@hust.edu.cn/ > drivers/scsi/qedi/qedi_main.c | 3 +-- > 1 file changed, 1 insertion(+), 2 deletions(-) > > diff --git a/drivers/scsi/qedi/qedi_main.c b/drivers/scsi/qedi/qedi_main.c > index f2ee49756df8..34f38e0f1c7d 100644 > --- a/drivers/scsi/qedi/qedi_main.c > +++ b/drivers/scsi/qedi/qedi_main.c > @@ -1637,8 +1637,7 @@ static int qedi_alloc_global_queues(struct qedi_ctx *qedi) > * addresses of our queues > */ > if (!qedi->p_cpuq) { > - status = -EINVAL; > - goto mem_alloc_failure; > + return -EINVAL; > } > The patch looks ok: Reviewed-by: Mike Christie <michael.christie@oracle.com> Looks like there is another issue in this code path though. If qedi_alloc_global_queues fails in qedi_set_iscsi_pf_param the err_alloc_mem goto just ends up returning, so the p_cpuq allocation a couple lines before the qedi_set_iscsi_pf_param call will be leaked. The __qedi_probe call to qedi_set_iscsi_pf_param just frees the iscsi host, so it won't be freed via a qedi_free_iscsi_pf_param later. So, I think qedi_set_iscsi_pf_param's err_alloc_mem goto handler should free the p_cpuq.
diff --git a/drivers/scsi/qedi/qedi_main.c b/drivers/scsi/qedi/qedi_main.c index f2ee49756df8..34f38e0f1c7d 100644 --- a/drivers/scsi/qedi/qedi_main.c +++ b/drivers/scsi/qedi/qedi_main.c @@ -1637,8 +1637,7 @@ static int qedi_alloc_global_queues(struct qedi_ctx *qedi) * addresses of our queues */ if (!qedi->p_cpuq) { - status = -EINVAL; - goto mem_alloc_failure; + return -EINVAL; } qedi->global_queues = kzalloc((sizeof(struct global_queue *) *