[PATCH 5.4 80/84] scsi: core: Fix failure handling of scsi_add_host_with_dma()

From: Greg Kroah-Hartman
Date: Mon Jun 14 2021 - 07:01:48 EST

Next message: Greg Kroah-Hartman: "[PATCH 5.4 76/84] NFS: Fix use-after-free in nfs4_init_client()"
Previous message: Greg Kroah-Hartman: "[PATCH 5.4 77/84] NFSv4: Fix second deadlock in nfs4_evict_inode()"
In reply to: Greg Kroah-Hartman: "[PATCH 5.4 77/84] NFSv4: Fix second deadlock in nfs4_evict_inode()"
Next in thread: Greg Kroah-Hartman: "[PATCH 5.4 76/84] NFS: Fix use-after-free in nfs4_init_client()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Ming Lei <ming.lei@xxxxxxxxxx>

commit 3719f4ff047e20062b8314c23ec3cab84d74c908 upstream.

When scsi_add_host_with_dma() returns failure, the caller will call
scsi_host_put(shost) to release everything allocated for this host
instance. Consequently we can't also free allocated stuff in
scsi_add_host_with_dma(), otherwise we will end up with a double free.

Strictly speaking, host resource allocations should have been done in
scsi_host_alloc(). However, the allocations may need information which is
not yet provided by the driver when that function is called. So leave the
allocations where they are but rely on host device's release handler to
free resources.

Link: https://lore.kernel.org/r/20210602133029.2864069-3-ming.lei@xxxxxxxxxx
Cc: Bart Van Assche <bvanassche@xxxxxxx>
Cc: John Garry <john.garry@xxxxxxxxxx>
Cc: Hannes Reinecke <hare@xxxxxxx>
Tested-by: John Garry <john.garry@xxxxxxxxxx>
Reviewed-by: Bart Van Assche <bvanassche@xxxxxxx>
Reviewed-by: John Garry <john.garry@xxxxxxxxxx>
Reviewed-by: Hannes Reinecke <hare@xxxxxxx>
Signed-off-by: Ming Lei <ming.lei@xxxxxxxxxx>
Signed-off-by: Martin K. Petersen <martin.petersen@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
drivers/scsi/hosts.c | 14 ++++++--------
1 file changed, 6 insertions(+), 8 deletions(-)

--- a/drivers/scsi/hosts.c
+++ b/drivers/scsi/hosts.c
@@ -275,23 +275,22 @@ int scsi_add_host_with_dma(struct Scsi_H
shost->work_q_name);
if (!shost->work_q) {
error = -EINVAL;
- goto out_free_shost_data;
+ goto out_del_dev;
}
}

error = scsi_sysfs_add_host(shost);
if (error)
- goto out_destroy_host;
+ goto out_del_dev;

scsi_proc_host_add(shost);
scsi_autopm_put_host(shost);
return error;

- out_destroy_host:
- if (shost->work_q)
- destroy_workqueue(shost->work_q);
- out_free_shost_data:
- kfree(shost->shost_data);
+ /*
+ * Any host allocation in this function will be freed in
+ * scsi_host_dev_release().
+ */
out_del_dev:
device_del(&shost->shost_dev);
out_del_gendev:
@@ -301,7 +300,6 @@ int scsi_add_host_with_dma(struct Scsi_H
pm_runtime_disable(&shost->shost_gendev);
pm_runtime_set_suspended(&shost->shost_gendev);
pm_runtime_put_noidle(&shost->shost_gendev);
- scsi_mq_destroy_tags(shost);
fail:
return error;
}

Next message: Greg Kroah-Hartman: "[PATCH 5.4 76/84] NFS: Fix use-after-free in nfs4_init_client()"
Previous message: Greg Kroah-Hartman: "[PATCH 5.4 77/84] NFSv4: Fix second deadlock in nfs4_evict_inode()"
In reply to: Greg Kroah-Hartman: "[PATCH 5.4 77/84] NFSv4: Fix second deadlock in nfs4_evict_inode()"
Next in thread: Greg Kroah-Hartman: "[PATCH 5.4 76/84] NFS: Fix use-after-free in nfs4_init_client()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]