LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Yinghai Lu <Yinghai.Lu@Sun.COM>
To: Andrew Morton <akpm@linux-foundation.org>,
	James Bottomley <James.Bottomley@hansenpartnership.com>,
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Cc: linux-scsi@vger.kernel.org, linux-ide@vger.kernel.org,
	kristen.c.accardi@intel.com
Subject: [PATCH] scsi: ses fix for len and mem leaking when fail to add intf
Date: Sat, 09 Feb 2008 04:13:52 -0800	[thread overview]
Message-ID: <200802090413.53275.yinghai.lu@sun.com> (raw)

[PATCH] scsi: ses fix for len and mem leaking when fail to add intf

change to u32 before left shifting char
also fix leaking with scomp leaking when failing.

Signed-off-by: Yinghai Lu <yinghai.lu@sun.com>

Index: linux-2.6/drivers/scsi/ses.c
===================================================================
--- linux-2.6.orig/drivers/scsi/ses.c
+++ linux-2.6/drivers/scsi/ses.c
@@ -369,7 +369,7 @@ static void ses_match_to_enclosure(struc
 			     VPD_INQUIRY_SIZE, NULL, SES_TIMEOUT, SES_RETRIES))
 		goto free;
 
-	len = (buf[2] << 8) + buf[3];
+	len = ((u32)buf[2] << 8) + buf[3];
 	desc = buf + 4;
 	while (desc < buf + len) {
 		enum scsi_protocol proto = desc[0] >> 4;
@@ -420,7 +420,7 @@ static int ses_intf_add(struct class_dev
 
 	if (!scsi_device_enclosure(sdev)) {
 		/* not an enclosure, but might be in one */
-		edev = 	enclosure_find(&sdev->host->shost_gendev);
+		edev = enclosure_find(&sdev->host->shost_gendev);
 		if (edev) {
 			ses_match_to_enclosure(edev, sdev);
 			class_device_put(&edev->cdev);
@@ -451,18 +451,18 @@ static int ses_intf_add(struct class_dev
 		goto err_free;
 	}
 
-	len = (hdr_buf[2] << 8) + hdr_buf[3] + 4;
+	len = ((u32)hdr_buf[2] << 8) + hdr_buf[3] + 4;
 	buf = kzalloc(len, GFP_KERNEL);
 	if (!buf)
 		goto err_free;
 
-	ses_dev->page1 = buf;
-	ses_dev->page1_len = len;
-
 	result = ses_recv_diag(sdev, 1, buf, len);
 	if (result)
 		goto recv_failed;
 
+	ses_dev->page1 = buf;
+	ses_dev->page1_len = len;
+
 	types = buf[10];
 	len = buf[11];
 
@@ -474,11 +474,12 @@ static int ses_intf_add(struct class_dev
 			components += type_ptr[1];
 	}
 
+	buf = NULL;
 	result = ses_recv_diag(sdev, 2, hdr_buf, INIT_ALLOC_SIZE);
 	if (result)
 		goto recv_failed;
 
-	len = (hdr_buf[2] << 8) + hdr_buf[3] + 4;
+	len = ((u32)hdr_buf[2] << 8) + hdr_buf[3] + 4;
 	buf = kzalloc(len, GFP_KERNEL);
 	if (!buf)
 		goto err_free;
@@ -492,11 +493,12 @@ static int ses_intf_add(struct class_dev
 
 	/* The additional information page --- allows us
 	 * to match up the devices */
+	buf = NULL;
 	result = ses_recv_diag(sdev, 10, hdr_buf, INIT_ALLOC_SIZE);
 	if (result)
 		goto no_page10;
 
-	len = (hdr_buf[2] << 8) + hdr_buf[3] + 4;
+	len = ((u32)hdr_buf[2] << 8) + hdr_buf[3] + 4;
 	buf = kzalloc(len, GFP_KERNEL);
 	if (!buf)
 		goto err_free;
@@ -506,16 +508,18 @@ static int ses_intf_add(struct class_dev
 		goto recv_failed;
 	ses_dev->page10 = buf;
 	ses_dev->page10_len = len;
+	buf = NULL;
 
  no_page10:
 	scomp = kmalloc(sizeof(struct ses_component) * components, GFP_KERNEL);
 	if (!scomp)
-		goto  err_free;
+		goto err_free;
 
 	edev = enclosure_register(cdev->dev, sdev->sdev_gendev.bus_id,
 				  components, &ses_enclosure_callbacks);
 	if (IS_ERR(edev)) {
 		err = PTR_ERR(edev);
+		kfree(scomp);
 		goto err_free;
 	}
 
@@ -524,24 +528,27 @@ static int ses_intf_add(struct class_dev
 		edev->component[i].scratch = scomp++;
 
 	/* Page 7 for the descriptors is optional */
-	buf = NULL;
 	result = ses_recv_diag(sdev, 7, hdr_buf, INIT_ALLOC_SIZE);
 	if (result)
 		goto simple_populate;
 
-	len = (hdr_buf[2] << 8) + hdr_buf[3] + 4;
+	len = ((u32)hdr_buf[2] << 8) + hdr_buf[3] + 4;
 	/* add 1 for trailing '\0' we'll use */
 	buf = kzalloc(len + 1, GFP_KERNEL);
-	result = ses_recv_diag(sdev, 7, buf, len);
-	if (result) {
+	if (buf)
+		result = ses_recv_diag(sdev, 7, buf, len);
+	else
+		result = 7;
+
  simple_populate:
+	if (result) {
 		kfree(buf);
 		buf = NULL;
 		desc_ptr = NULL;
 		addl_desc_ptr = NULL;
 	} else {
 		desc_ptr = buf + 8;
-		len = (desc_ptr[2] << 8) + desc_ptr[3];
+		len = ((u32)desc_ptr[2] << 8) + desc_ptr[3];
 		/* skip past overall descriptor */
 		desc_ptr += len + 4;
 		addl_desc_ptr = ses_dev->page10 + 8;
@@ -554,7 +561,7 @@ static int ses_intf_add(struct class_dev
 			struct enclosure_component *ecomp;
 
 			if (desc_ptr) {
-				len = (desc_ptr[2] << 8) + desc_ptr[3];
+				len = ((u32)desc_ptr[2] << 8) + desc_ptr[3];
 				desc_ptr += 4;
 				/* Add trailing zero - pushes into
 				 * reserved space */
@@ -575,7 +582,7 @@ static int ses_intf_add(struct class_dev
 							       addl_desc_ptr);
 
 				if (addl_desc_ptr)
-					addl_desc_ptr += addl_desc_ptr[1] + 2;
+					addl_desc_ptr += 2 + addl_desc_ptr[1];
 			}
 		}
 	}
@@ -597,7 +604,6 @@ static int ses_intf_add(struct class_dev
 		    result);
 	err = -ENODEV;
  err_free:
-	kfree(buf);
 	kfree(ses_dev->page10);
 	kfree(ses_dev->page2);
 	kfree(ses_dev->page1);
@@ -630,6 +636,7 @@ static void ses_intf_remove(struct class
 	ses_dev = edev->scratch;
 	edev->scratch = NULL;
 
+	kfree(ses_dev->page10);
 	kfree(ses_dev->page1);
 	kfree(ses_dev->page2);
 	kfree(ses_dev);

             reply	other threads:[~2008-02-09 12:08 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-02-09 12:13 Yinghai Lu [this message]
2008-02-09 15:00 ` James Bottomley
2008-02-09 22:28   ` Yinghai Lu
2008-02-09 23:15   ` [PATCH] scsi: ses fix " Yinghai Lu
2008-02-11  4:28     ` James Bottomley
2008-02-11  5:27       ` Yinghai Lu
2008-02-11  7:25       ` [SCSI] ses: fix memory leaks Yinghai Lu
2008-02-11 16:23         ` James Bottomley
2008-02-11 17:02           ` James Bottomley
2008-02-11 20:25             ` Yinghai Lu
2008-02-13  7:10               ` [PATCH] SCSI: fix data corruption caused by ses Yinghai Lu
2008-02-13 23:25                 ` James Bottomley
2008-02-14  0:07                   ` Yinghai Lu
2008-02-14  0:25                   ` [PATCH] SCSI: fix data corruption caused by ses v2 Yinghai Lu
2008-02-15 15:53                     ` James Bottomley
2008-02-15 18:44                       ` Yinghai Lu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200802090413.53275.yinghai.lu@sun.com \
    --to=yinghai.lu@sun.com \
    --cc=James.Bottomley@hansenpartnership.com \
    --cc=akpm@linux-foundation.org \
    --cc=kristen.c.accardi@intel.com \
    --cc=linux-ide@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-scsi@vger.kernel.org \
    --subject='Re: [PATCH] scsi: ses fix for len and mem leaking when fail to add intf' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).