summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorwenxiong@linux.vnet.ibm.com <wenxiong@linux.vnet.ibm.com>2013-03-14 13:52:25 -0500
committerJames Bottomley <JBottomley@Parallels.com>2013-05-12 15:07:42 -0700
commit222ab5946860e1d77870ffbfebebff2bcb1f4215 (patch)
tree6ed646b1b53667ad098a6440333543ca114019bb
parent364398324c901bc834f762eb5443d2e5a1d2a0db (diff)
downloadlinux-222ab5946860e1d77870ffbfebebff2bcb1f4215.tar.gz
linux-222ab5946860e1d77870ffbfebebff2bcb1f4215.tar.bz2
linux-222ab5946860e1d77870ffbfebebff2bcb1f4215.zip
[SCSI] ipr: Avoid target_destroy accessing memory after it was freed
Defined target_ids,array_ids and vsets_ids as unsigned long to avoid target_destroy accessing memory after it was freed. Signed-off-by: Wen Xiong <wenxiong@linux.vnet.ibm.com> Signed-off-by: James Bottomley <JBottomley@Parallels.com>
-rw-r--r--drivers/scsi/ipr.c16
-rw-r--r--drivers/scsi/ipr.h6
2 files changed, 3 insertions, 19 deletions
diff --git a/drivers/scsi/ipr.c b/drivers/scsi/ipr.c
index 82a3c1ec8706..6c4cedb44c07 100644
--- a/drivers/scsi/ipr.c
+++ b/drivers/scsi/ipr.c
@@ -8980,19 +8980,6 @@ static int ipr_alloc_mem(struct ipr_ioa_cfg *ioa_cfg)
if (!ioa_cfg->res_entries)
goto out;
- if (ioa_cfg->sis64) {
- ioa_cfg->target_ids = kzalloc(sizeof(unsigned long) *
- BITS_TO_LONGS(ioa_cfg->max_devs_supported), GFP_KERNEL);
- ioa_cfg->array_ids = kzalloc(sizeof(unsigned long) *
- BITS_TO_LONGS(ioa_cfg->max_devs_supported), GFP_KERNEL);
- ioa_cfg->vset_ids = kzalloc(sizeof(unsigned long) *
- BITS_TO_LONGS(ioa_cfg->max_devs_supported), GFP_KERNEL);
-
- if (!ioa_cfg->target_ids || !ioa_cfg->array_ids
- || !ioa_cfg->vset_ids)
- goto out_free_res_entries;
- }
-
for (i = 0; i < ioa_cfg->max_devs_supported; i++) {
list_add_tail(&ioa_cfg->res_entries[i].queue, &ioa_cfg->free_res_q);
ioa_cfg->res_entries[i].ioa_cfg = ioa_cfg;
@@ -9089,9 +9076,6 @@ out_free_vpd_cbs:
ioa_cfg->vpd_cbs, ioa_cfg->vpd_cbs_dma);
out_free_res_entries:
kfree(ioa_cfg->res_entries);
- kfree(ioa_cfg->target_ids);
- kfree(ioa_cfg->array_ids);
- kfree(ioa_cfg->vset_ids);
goto out;
}
diff --git a/drivers/scsi/ipr.h b/drivers/scsi/ipr.h
index a1fb840596ef..07a85ce41782 100644
--- a/drivers/scsi/ipr.h
+++ b/drivers/scsi/ipr.h
@@ -1440,9 +1440,9 @@ struct ipr_ioa_cfg {
/*
* Bitmaps for SIS64 generated target values
*/
- unsigned long *target_ids;
- unsigned long *array_ids;
- unsigned long *vset_ids;
+ unsigned long target_ids[BITS_TO_LONGS(IPR_MAX_SIS64_DEVS)];
+ unsigned long array_ids[BITS_TO_LONGS(IPR_MAX_SIS64_DEVS)];
+ unsigned long vset_ids[BITS_TO_LONGS(IPR_MAX_SIS64_DEVS)];
u16 type; /* CCIN of the card */