Re: [PATCH] lpfc: Fix possible use-after-free and double free in lpfc_mbx_cmpl_rdp_page_a2()

[James Smart]

On 8/18/2015 6:27 PM, Sebastian Herbszt wrote:
> Johannes Thumshirn wrote:
> > Sebastian Herbszt <herbszt@xxxxxx> writes:
> >
> > > Johannes Thumshirn wrote:
> > > > If the bf_get() call in lpfc_mbx_cmpl_rdp_page_a2() does succeeds, execution
> > > > continues normally and mp gets kfree()d.
> > > >
> > > > If the subsequent call to lpfc_sli_issue_mbox() fails execution jumps to the
> > > > error label where lpfc_mbuf_free() is called with mp->virt and mp->phys as
> > > > function arguments. This is the use after free. Following the use after free mp
> > > > gets kfree()d again which is a double free.
> > > A similar patch was posted by Colin Ian King on 2015-07-31 [1].
> > >
> > > [1] http://marc.info/?l=linux-scsi&m=143835937206204&w=2
> > OK,
> >
> > Is it already in James' tree (haven't checked)? The problematic code was
> > merged for 4.2-rc1 so if the fix (Collin's or mine I don't care) could go
> > in while we're still in the rc phase, we could avoid all that stable
> > circus.
> >
> > Thanks for digging this out.
> >
> > Byte,
> >          Johannes
> It is not yet in scsi.git.
>
> James S., Dick, which patch do you prefer?
>
> Sebastian

I looked at both and liked Johannes patch better.

-- james s


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/