Johannes Thumshirn wrote:
Sebastian Herbszt <herbszt@xxxxxx> writes:It is not yet in scsi.git.
Johannes Thumshirn wrote:OK,
If the bf_get() call in lpfc_mbx_cmpl_rdp_page_a2() does succeeds, executionA similar patch was posted by Colin Ian King on 2015-07-31 .
continues normally and mp gets kfree()d.
If the subsequent call to lpfc_sli_issue_mbox() fails execution jumps to the
error label where lpfc_mbuf_free() is called with mp->virt and mp->phys as
function arguments. This is the use after free. Following the use after free mp
gets kfree()d again which is a double free.
Is it already in James' tree (haven't checked)? The problematic code was
merged for 4.2-rc1 so if the fix (Collin's or mine I don't care) could go
in while we're still in the rc phase, we could avoid all that stable
Thanks for digging this out.
James S., Dick, which patch do you prefer?