scsi: qedf: Fix a potential NULL pointer dereference

At the beginning of 'qedf_srr_compl()' and of 'qedf_rec_compl()', we check if 'orig_io_req' is NULL. If this happens, a NULL pointer dereference will occur in the error handling path. Fix it by adding an additional label in the error handling path in order to avoid this NULL pointer dereference. [mkp: typo] Fixes: 61d8658b ("scsi: qedf: Add QLogic FastLinQ offload FCoE driver framework.") Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr> Acked-by: Chad Dupuis <chad.dupuis@cavium.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>

scsi: qedf: Fix a potential NULL pointer dereference
At the beginning of 'qedf_srr_compl()' and of 'qedf_rec_compl()', we check if 'orig_io_req' is NULL. If this happens, a NULL pointer dereference will occur in the error handling path. Fix it by adding an additional label in the error handling path in order to avoid this NULL pointer dereference. [mkp: typo] Fixes: 61d8658b ("scsi: qedf: Add QLogic FastLinQ offload FCoE driver framework.") Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr> Acked-by: Chad Dupuis <chad.dupuis@cavium.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
47c4ccd3 · Christophe JAILLET · Martin K. Petersen · bd46fc40 · 47c4ccd3
Commit 47c4ccd3 authored Aug 20, 2017 by Christophe JAILLET Committed by Martin K. Petersen Aug 23, 2017
Show whitespace changes
Inline Side-by-side

Showing with 8 additions and 6 deletions

drivers/scsi/qedf/qedf_els.c drivers/scsi/qedf/qedf_els.c +8 -6

No files found.
--- a/drivers/scsi/qedf/qedf_els.c
+++ b/drivers/scsi/qedf/qedf_els.c
@@ -489,7 +489,7 @@ static void qedf_srr_compl(struct qedf_els_cb_arg *cb_arg)
 	/* If a SRR times out, simply free resources */
 	if (srr_req->event == QEDF_IOREQ_EV_ELS_TMO)
-		goto out_free;
+		goto out_put;
 	/* Normalize response data into struct fc_frame */
 	mp_req = &(srr_req->mp_req);
@@ -501,7 +501,7 @@ static void qedf_srr_compl(struct qedf_els_cb_arg *cb_arg)
 	if (!fp) {
 		QEDF_ERR(&(qedf->dbg_ctx),
 		    "fc_frame_alloc failure.\n");
-		goto out_free;
+		goto out_put;
 	}
 	/* Copy frame header from firmware into fp */
@@ -526,9 +526,10 @@ static void qedf_srr_compl(struct qedf_els_cb_arg *cb_arg)
 	}
 	fc_frame_free(fp);
-out_free:
+out_put:
 	/* Put reference for original command since SRR completed */
 	kref_put(&orig_io_req->refcount, qedf_release_cmd);
+out_free:
 	kfree(cb_arg);
 }
@@ -780,7 +781,7 @@ static void qedf_rec_compl(struct qedf_els_cb_arg *cb_arg)
 	/* If a REC times out, free resources */
 	if (rec_req->event == QEDF_IOREQ_EV_ELS_TMO)
-		goto out_free;
+		goto out_put;
 	/* Normalize response data into struct fc_frame */
 	mp_req = &(rec_req->mp_req);
@@ -792,7 +793,7 @@ static void qedf_rec_compl(struct qedf_els_cb_arg *cb_arg)
 	if (!fp) {
 		QEDF_ERR(&(qedf->dbg_ctx),
 		    "fc_frame_alloc failure.\n");
-		goto out_free;
+		goto out_put;
 	}
 	/* Copy frame header from firmware into fp */
@@ -884,9 +885,10 @@ static void qedf_rec_compl(struct qedf_els_cb_arg *cb_arg)
 out_free_frame:
 	fc_frame_free(fp);
-out_free:
+out_put:
 	/* Put reference for original command since REC completed */
 	kref_put(&orig_io_req->refcount, qedf_release_cmd);
+out_free:
 	kfree(cb_arg);
 }