[PATCH] scsi: lpfc: fix double free bug in lpfc_bsg_write_ebuf_set
From: Zheng Wang
Date: Fri Oct 28 2022 - 01:08:23 EST
When error occurs, it frees dmabuf in both lpfc_bsg_write_ebuf_set
and lpfc_bsg_issue_mbox.
Fix it by removing free code in lpfc_bsg_write_ebuf_set.
Reported-by: Zheng Wang <hackerzheng666@xxxxxxxxx>
Reported-by: Zhuorao Yang <alex000young@xxxxxxxxx>
Fixes: 7ad20aa9d39a ("[SCSI] lpfc 8.3.24: Extend BSG infrastructure and add link diagnostics")
Signed-off-by: Zheng Wang <zyytlz.wz@xxxxxxx>
---
drivers/scsi/lpfc/lpfc_bsg.c | 17 +++--------------
1 file changed, 3 insertions(+), 14 deletions(-)
diff --git a/drivers/scsi/lpfc/lpfc_bsg.c b/drivers/scsi/lpfc/lpfc_bsg.c
index ac0c7ccf2eae..7362d9c1a50b 100644
--- a/drivers/scsi/lpfc/lpfc_bsg.c
+++ b/drivers/scsi/lpfc/lpfc_bsg.c
@@ -4439,15 +4439,13 @@ lpfc_bsg_write_ebuf_set(struct lpfc_hba *phba, struct bsg_job *job,
dd_data = kmalloc(sizeof(struct bsg_job_data), GFP_KERNEL);
if (!dd_data) {
- rc = -ENOMEM;
- goto job_error;
+ return -ENOMEM;
}
/* mailbox command structure for base driver */
pmboxq = mempool_alloc(phba->mbox_mem_pool, GFP_KERNEL);
if (!pmboxq) {
- rc = -ENOMEM;
- goto job_error;
+ return -ENOMEM;
}
memset(pmboxq, 0, sizeof(LPFC_MBOXQ_t));
pbuf = (uint8_t *)phba->mbox_ext_buf_ctx.mbx_dmabuf->virt;
@@ -4480,8 +4478,7 @@ lpfc_bsg_write_ebuf_set(struct lpfc_hba *phba, struct bsg_job *job,
lpfc_printf_log(phba, KERN_ERR, LOG_LIBDFC,
"2970 Failed to issue SLI_CONFIG ext-buffer "
"mailbox command, rc:x%x\n", rc);
- rc = -EPIPE;
- goto job_error;
+ return -EPIPE;
}
/* wait for additional external buffers */
@@ -4489,14 +4486,6 @@ lpfc_bsg_write_ebuf_set(struct lpfc_hba *phba, struct bsg_job *job,
bsg_job_done(job, bsg_reply->result,
bsg_reply->reply_payload_rcv_len);
return SLI_CONFIG_HANDLED;
-
-job_error:
- if (pmboxq)
- mempool_free(pmboxq, phba->mbox_mem_pool);
- lpfc_bsg_dma_page_free(phba, dmabuf);
- kfree(dd_data);
-
- return rc;
}
/**
--
2.25.1