Re: [PATCH] lpfc: Fix possible use-after-free and double free in lpfc_mbx_cmpl_rdp_page_a2()

From: James Smart
Date: Mon Aug 31 2015 - 16:53:45 EST

On 8/18/2015 6:27 PM, Sebastian Herbszt wrote:
Johannes Thumshirn wrote:
Sebastian Herbszt <herbszt@xxxxxx> writes:

Johannes Thumshirn wrote:
If the bf_get() call in lpfc_mbx_cmpl_rdp_page_a2() does succeeds, execution
continues normally and mp gets kfree()d.

If the subsequent call to lpfc_sli_issue_mbox() fails execution jumps to the
error label where lpfc_mbuf_free() is called with mp->virt and mp->phys as
function arguments. This is the use after free. Following the use after free mp
gets kfree()d again which is a double free.
A similar patch was posted by Colin Ian King on 2015-07-31 [1].


Is it already in James' tree (haven't checked)? The problematic code was
merged for 4.2-rc1 so if the fix (Collin's or mine I don't care) could go
in while we're still in the rc phase, we could avoid all that stable

Thanks for digging this out.

It is not yet in scsi.git.

James S., Dick, which patch do you prefer?


I looked at both and liked Johannes patch better.

-- james s

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at