projects / GitHub / LineageOS / G12 / android_kernel_amlogic_linux-4.9.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: b044d14)
bnx2fc: fix memory leak and potential NULL pointer dereference.
authorMaurizio Lombardi <mlombard@redhat.com>
Tue, 1 Apr 2014 11:58:21 +0000 (13:58 +0200)
committerChristoph Hellwig <hch@lst.de>
Mon, 19 May 2014 17:29:57 +0000 (19:29 +0200)
If bnx2fc_allocate_hash_table() for some reasons fails, it is possible that the
hash_tbl_segments or the hash_tbl_pbl pointers are NULL.
In this case bnx2fc_free_hash_table() will panic the system.

this patch also fixes a memory leak, the hash_tbl_segments pointer was never
freed.

Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
Acked-by: Eddie Wai <eddie.wai@broadcom.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
drivers/scsi/bnx2fc/bnx2fc_hwi.c patch | blob | blame | history

diff --git a/drivers/scsi/bnx2fc/bnx2fc_hwi.c b/drivers/scsi/bnx2fc/bnx2fc_hwi.c
index 261af2a41d2481d3ad24ac2dcc99038c19f9013a..f83bae48e6b7bed9ba5d67738abd693cd3f422f3 100644 (file)
--- a/drivers/scsi/bnx2fc/bnx2fc_hwi.c
+++ b/drivers/scsi/bnx2fc/bnx2fc_hwi.c
@@ -1968,21 +1968,27 @@ static void bnx2fc_free_hash_table(struct bnx2fc_hba *hba)
        int segment_count;
        u32 *pbl;
 
-       segment_count = hba->hash_tbl_segment_count;
-
-       pbl = hba->hash_tbl_pbl;
-       for (i = 0; i < segment_count; ++i) {
-               dma_addr_t dma_address;
-
-               dma_address = le32_to_cpu(*pbl);
-               ++pbl;
-               dma_address += ((u64)le32_to_cpu(*pbl)) << 32;
-               ++pbl;
-               dma_free_coherent(&hba->pcidev->dev,
-                                 BNX2FC_HASH_TBL_CHUNK_SIZE,
-                                 hba->hash_tbl_segments[i],
-                                 dma_address);
+       if (hba->hash_tbl_segments) {
+
+               pbl = hba->hash_tbl_pbl;
+               if (pbl) {
+                       segment_count = hba->hash_tbl_segment_count;
+                       for (i = 0; i < segment_count; ++i) {
+                               dma_addr_t dma_address;
+
+                               dma_address = le32_to_cpu(*pbl);
+                               ++pbl;
+                               dma_address += ((u64)le32_to_cpu(*pbl)) << 32;
+                               ++pbl;
+                               dma_free_coherent(&hba->pcidev->dev,
+                                                 BNX2FC_HASH_TBL_CHUNK_SIZE,
+                                                 hba->hash_tbl_segments[i],
+                                                 dma_address);
+                       }
+               }
 
+               kfree(hba->hash_tbl_segments);
+               hba->hash_tbl_segments = NULL;
        }
 
        if (hba->hash_tbl_pbl) {