lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Thu, 18 Feb 2016 11:40:15 -0500
From:	Ewan Milne <emilne@...hat.com>
To:	Johannes Thumshirn <jthumshirn@...e.de>, thenzl@...hat.com
Cc:	Insu Yun <wuninsu@...il.com>, nagalakshmi.nandigama@...gotech.com,
	praveen.krishnamoorthy@...gotech.com,
	sreekanth.reddy@...gotech.com, abhijit.mahajan@...gotech.com,
	MPT-FusionLinux.pdl@...gotech.com, linux-scsi@...r.kernel.org,
	linux-kernel@...r.kernel.org, taesoo@...ech.edu,
	yeongjin.jang@...ech.edu, insu@...ech.edu, changwoo@...ech.edu
Subject: Re: [PATCH v2] fusion-mptbase: handle failed allocation for
 workqueue

On Thu, 2016-02-18 at 10:00 +0100, Johannes Thumshirn wrote:
> On Wed, Feb 17, 2016 at 11:40:59PM -0500, Insu Yun wrote:
> > the failure of ioc->reset_work_q is checked,
> > but not ioc->fw_event_q.
> > 
> > Signed-off-by: Insu Yun <wuninsu@...il.com>
> > ---
> >  drivers/message/fusion/mptbase.c | 44 ++++++++++++++++++++++++----------------
> >  1 file changed, 27 insertions(+), 17 deletions(-)
> > 
> > diff --git a/drivers/message/fusion/mptbase.c b/drivers/message/fusion/mptbase.c
> > index 5dcc031..53a5015 100644
> > --- a/drivers/message/fusion/mptbase.c
> > +++ b/drivers/message/fusion/mptbase.c
> > @@ -1871,9 +1871,8 @@ mpt_attach(struct pci_dev *pdev, const struct pci_device_id *id)
> >  	if (!ioc->reset_work_q) {
> >  		printk(MYIOC_s_ERR_FMT "Insufficient memory to add adapter!\n",
> >  		    ioc->name);
> > -		pci_release_selected_regions(pdev, ioc->bars);
> > -		kfree(ioc);
> > -		return -ENOMEM;
> > +		r = -ENOMEM;
> > +		goto err3;
> >  	}
> >  
> >  	dinitprintk(ioc, printk(MYIOC_s_INFO_FMT "facts @ %p, pfacts[0] @ %p\n",
> > @@ -1996,24 +1995,16 @@ mpt_attach(struct pci_dev *pdev, const struct pci_device_id *id)
> >  	snprintf(ioc->fw_event_q_name, MPT_KOBJ_NAME_LEN, "mpt/%d", ioc->id);
> >  	ioc->fw_event_q = create_singlethread_workqueue(ioc->fw_event_q_name);
> >  
> > +	if (!ioc->fw_event_q) {
> > +		r = -ENOMEM;
> > +		goto err2;
> > +	}
> > +
> >  	if ((r = mpt_do_ioc_recovery(ioc, MPT_HOSTEVENT_IOC_BRINGUP,
> >  	    CAN_SLEEP)) != 0){
> >  		printk(MYIOC_s_ERR_FMT "didn't initialize properly! (%d)\n",
> >  		    ioc->name, r);
> > -
> > -		list_del(&ioc->list);
> > -		if (ioc->alt_ioc)
> > -			ioc->alt_ioc->alt_ioc = NULL;
> > -		iounmap(ioc->memmap);
> > -		if (r != -5)
> > -			pci_release_selected_regions(pdev, ioc->bars);
> > -
> > -		destroy_workqueue(ioc->reset_work_q);
> > -		ioc->reset_work_q = NULL;
> > -
> > -		kfree(ioc);
> > -		pci_set_drvdata(pdev, NULL);
> > -		return r;
> > +		goto err1;
> >  	}
> >  
> >  	/* call per device driver probe entry point */
> > @@ -2040,6 +2031,25 @@ mpt_attach(struct pci_dev *pdev, const struct pci_device_id *id)
> >  			msecs_to_jiffies(MPT_POLLING_INTERVAL));
> >  
> >  	return 0;
> > +
> > +err1:
> > +		destroy_workqueue(ioc->fw_event_q);
> > +		ioc->fw_event_q = NULL;
> > +err2::
> > +		destroy_workqueue(ioc->reset_work_q);
> > +		ioc->reset_work_q = NULL;
> > +
> > +		list_del(&ioc->list);
> > +		if (ioc->alt_ioc)
> > +			ioc->alt_ioc->alt_ioc = NULL;
> > +		iounmap(ioc->memmap);
> > +		pci_set_drvdata(pdev, NULL);
> > +err3:
> > +		if (r != -5)
> > +			pci_release_selected_regions(pdev, ioc->bars);
> > +		kfree(ioc);
> > +		return r;
> > +
> >  }
> 
> Please no. Not err1, err2 and err3.
> 
> err1 could be "goto destroy_fw_event_q", err2 "destroy_reset_workq", err3
> goto "free_ioc".

It also appears to me upon further inspection that the existing code has
other problems.  In particular, once mpt_mapresources() has returned
with a nonzero error code, it looks like iounmap() should be called, but
it is not in the case of a failed allocation of reset_work_q.  I'm also
not sure why pci_release_selected_regions() is only called for the case
of mpt_do_ioc_recovery() returning != -5 when it is called whenever
there is a failed allocation of reset_work_q.

Consider the attached patch (untested, because I don't have hardware):
It shows what I would do for labels & error handling.  If the rc != -5
case of return from mpt_do_ioc_recovery() could be eliminated, then
another label "out_free_fw_event_q:" could be added prior to the other
error cases at the end, and all the code after the printk() in that path
could be replaced by "goto out_free_fw_event_q;"

	if ((r = mpt_do_ioc_recovery(ioc, MPT_HOSTEVENT_IOC_BRINGUP,
	    CAN_SLEEP)) != 0){
		printk(MYIOC_s_ERR_FMT "didn't initialize properly! (%d)\n",
		    ioc->name, r);
		goto out_free_fw_event_q;
	}
...

out_free_fw_event_q:
	destroy_workqueue(ioc->fw_event_q);
	ioc->fw_event_q = NULL;

out_remove_ioc:
...

However I do not know if that change is legitimate.

-Ewan

> >  
> >  /*=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=*/
> > -- 
> > 1.9.1
> > 
> > --
> > To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
> > the body of a message to majordomo@...r.kernel.org
> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 


View attachment "0001-mptbase-fixup-error-handling-paths-in-mpt_attach.patch" of type "text/x-patch" (3018 bytes)

Powered by blists - more mailing lists