1 From: Gerald Schaefer <geraldsc@de.ibm.com>
2 Subject: zfcp: Don't call zfcp_fsf_req_free on NULL pointer
3 References: bnc#484767,LTC#52234
5 Symptom: Reading adapter statistics from user space on a full
6 queue might lead to the attempt of freeing memory on
8 Problem: The error path for the queue full case is wrong in the code.
9 Solution: Only free the FSF request if it has been sucessfully allocated
12 Acked-by: John Jolly <jjolly@suse.de>
14 drivers/s390/scsi/zfcp_fsf.c | 18 ++++++++++++------
15 1 file changed, 12 insertions(+), 6 deletions(-)
17 --- a/drivers/s390/scsi/zfcp_fsf.c 2009-03-16 15:34:34.000000000 +0100
18 +++ b/drivers/s390/scsi/zfcp_fsf.c 2009-03-16 16:04:01.000000000 +0100
19 @@ -1256,13 +1256,13 @@ int zfcp_fsf_exchange_config_data_sync(s
21 spin_lock_bh(&adapter->req_q_lock);
22 if (zfcp_fsf_req_sbal_get(adapter))
26 req = zfcp_fsf_req_create(adapter, FSF_QTCB_EXCHANGE_CONFIG_DATA,
29 retval = PTR_ERR(req);
34 sbale = zfcp_qdio_sbale_req(req);
35 @@ -1281,14 +1281,16 @@ int zfcp_fsf_exchange_config_data_sync(s
37 zfcp_fsf_start_timer(req, ZFCP_FSF_REQUEST_TIMEOUT);
38 retval = zfcp_fsf_req_send(req);
40 spin_unlock_bh(&adapter->req_q_lock);
42 wait_event(req->completion_wq,
43 req->status & ZFCP_STATUS_FSFREQ_COMPLETED);
45 zfcp_fsf_req_free(req);
49 + spin_unlock_bh(&adapter->req_q_lock);
53 @@ -1355,13 +1357,13 @@ int zfcp_fsf_exchange_port_data_sync(str
55 spin_lock_bh(&adapter->req_q_lock);
56 if (zfcp_fsf_req_sbal_get(adapter))
60 req = zfcp_fsf_req_create(adapter, FSF_QTCB_EXCHANGE_PORT_DATA, 0,
63 retval = PTR_ERR(req);
69 @@ -1374,14 +1376,18 @@ int zfcp_fsf_exchange_port_data_sync(str
70 req->handler = zfcp_fsf_exchange_port_data_handler;
71 zfcp_fsf_start_timer(req, ZFCP_FSF_REQUEST_TIMEOUT);
72 retval = zfcp_fsf_req_send(req);
74 spin_unlock_bh(&adapter->req_q_lock);
77 wait_event(req->completion_wq,
78 req->status & ZFCP_STATUS_FSFREQ_COMPLETED);
79 zfcp_fsf_req_free(req);
84 + spin_unlock_bh(&adapter->req_q_lock);
88 static void zfcp_fsf_open_port_handler(struct zfcp_fsf_req *req)