Re: [PATCH] snic: Fix use-after-free in case of a dma mapping error
From: Laurence Oberman
Date: Thu Jun 23 2016 - 11:08:03 EST
----- Original Message -----
> From: "Johannes Thumshirn" <jthumshirn@xxxxxxx>
> To: "Martin K . Petersen" <martin.petersen@xxxxxxxxxx>, "James Bottomley" <jejb@xxxxxxxxxxxxxxxxxx>
> Cc: "Linux SCSI Mailinglist" <linux-scsi@xxxxxxxxxxxxxxx>, "Linux Kernel Mailinglist" <linux-kernel@xxxxxxxxxxxxxxx>,
> "Narsimhulu Musini" <nmusini@xxxxxxxxx>, "Sesidhar Baddela" <sebaddel@xxxxxxxxx>, "Johannes Thumshirn"
> <jthumshirn@xxxxxxx>
> Sent: Thursday, June 23, 2016 8:37:20 AM
> Subject: [PATCH] snic: Fix use-after-free in case of a dma mapping error
>
> If there is a dma mapping error snic kfree()s buf right before printing it.
> Change the order to not accidently trip on memory that's not owned by us
> anymore.
>
> Signed-off-by: Johannes Thumshirn <jthumshirn@xxxxxxx>
> ---
> drivers/scsi/snic/snic_disc.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/scsi/snic/snic_disc.c b/drivers/scsi/snic/snic_disc.c
> index b0fefd6..b106596 100644
> --- a/drivers/scsi/snic/snic_disc.c
> +++ b/drivers/scsi/snic/snic_disc.c
> @@ -113,11 +113,11 @@ snic_queue_report_tgt_req(struct snic *snic)
>
> pa = pci_map_single(snic->pdev, buf, buf_len, PCI_DMA_FROMDEVICE);
> if (pci_dma_mapping_error(snic->pdev, pa)) {
> - kfree(buf);
> - snic_req_free(snic, rqi);
> SNIC_HOST_ERR(snic->shost,
> "Rpt-tgt rspbuf %p: PCI DMA Mapping Failed\n",
> buf);
> + kfree(buf);
> + snic_req_free(snic, rqi);
> ret = -EINVAL;
>
> goto error;
> --
> 2.8.4
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
Looks fine to me
Reviewed-by Laurence Oberman <loberman@xxxxxxxxxx>