| Message ID | 20210311103717.7523-1-colin.king@canonical.com (mailing list archive) |
|---|---|
| State | Not Applicable |
| Headers | show |
| Series | [next] scsi: sg: Fix use of pointer sfp after it has been kfree'd | expand |
On 2021-03-11 5:37 a.m., Colin King wrote: > From: Colin Ian King <colin.king@canonical.com> > > Currently SG_LOG is referencing sfp after it has been kfree'd which > is probably a bad thing to do. Fix this by kfree'ing sfp after > SG_LOG. > > Addresses-Coverity: ("Use after free") > Fixes: af1fc95db445 ("scsi: sg: Replace rq array with xarray") > Signed-off-by: Colin Ian King <colin.king@canonical.com> Acked-by: Douglas Gilbert <dgilbert@interlog.com> Thanks. > --- > drivers/scsi/sg.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c > index 2d4bbc1a1727..79f05afa4407 100644 > --- a/drivers/scsi/sg.c > +++ b/drivers/scsi/sg.c > @@ -3799,10 +3799,10 @@ sg_add_sfp(struct sg_device *sdp) > if (rbuf_len > 0) { > srp = sg_build_reserve(sfp, rbuf_len); > if (IS_ERR(srp)) { > - kfree(sfp); > err = PTR_ERR(srp); > SG_LOG(1, sfp, "%s: build reserve err=%ld\n", __func__, > -err); > + kfree(sfp); > return ERR_PTR(err); > } > if (srp->sgat_h.buflen < rbuf_len) { >
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c index 2d4bbc1a1727..79f05afa4407 100644 --- a/drivers/scsi/sg.c +++ b/drivers/scsi/sg.c @@ -3799,10 +3799,10 @@ sg_add_sfp(struct sg_device *sdp) if (rbuf_len > 0) { srp = sg_build_reserve(sfp, rbuf_len); if (IS_ERR(srp)) { - kfree(sfp); err = PTR_ERR(srp); SG_LOG(1, sfp, "%s: build reserve err=%ld\n", __func__, -err); + kfree(sfp); return ERR_PTR(err); } if (srp->sgat_h.buflen < rbuf_len) {