| Message ID | 5B7E1AFA.8030506@huawei.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | scsi/virio_scsi.c: do not call virtscsi_remove_vqs() in virtscsi_init() to avoid crash bug | expand |
On Thu, Aug 23, 2018 at 10:24:58AM +0800, piaojun wrote: > If some error happened before find_vqs, error branch will goto > virtscsi_remove_vqs to free vqs. Actually the vqs have not been allocated > successfully, so this will cause wild-pointer-free problem. So > virtscsi_remove_vqs could be deleted as no error will happen after > find_vqs. > > Signed-off-by: Jun Piao <piaojun@huawei.com> > --- > drivers/scsi/virtio_scsi.c | 2 -- > 1 file changed, 2 deletions(-) > > diff --git a/drivers/scsi/virtio_scsi.c b/drivers/scsi/virtio_scsi.c > index 1c72db9..da0fd74 100644 > --- a/drivers/scsi/virtio_scsi.c > +++ b/drivers/scsi/virtio_scsi.c > @@ -833,8 +833,6 @@ static int virtscsi_init(struct virtio_device *vdev, > kfree(names); > kfree(callbacks); > kfree(vqs); > - if (err) > - virtscsi_remove_vqs(vdev); Can you provide more details about the problem? drivers/virtio/virtio_pci_common.c:vp_del_vqs() looks fine to me, it iterates over vdev->vqs. The vdev->vqs list has been initialized in drivers/virtio/virtio.c:register_virtio_device() and it's empty. Stefan
diff --git a/drivers/scsi/virtio_scsi.c b/drivers/scsi/virtio_scsi.c index 1c72db9..da0fd74 100644 --- a/drivers/scsi/virtio_scsi.c +++ b/drivers/scsi/virtio_scsi.c @@ -833,8 +833,6 @@ static int virtscsi_init(struct virtio_device *vdev, kfree(names); kfree(callbacks); kfree(vqs); - if (err) - virtscsi_remove_vqs(vdev); return err; }
If some error happened before find_vqs, error branch will goto virtscsi_remove_vqs to free vqs. Actually the vqs have not been allocated successfully, so this will cause wild-pointer-free problem. So virtscsi_remove_vqs could be deleted as no error will happen after find_vqs. Signed-off-by: Jun Piao <piaojun@huawei.com> --- drivers/scsi/virtio_scsi.c | 2 -- 1 file changed, 2 deletions(-) --