From: Christoph Hellwig <hch@lst.de>
To: kernel-janitors@vger.kernel.org
Subject: Re: [PATCH 1/2] scsi: dpt_i2o: use after free in adpt_release()
Date: Tue, 20 Mar 2018 08:42:08 +0000 [thread overview]
Message-ID: <20180320084208.GA16215@lst.de> (raw)
In-Reply-To: <20180319103303.GA8543@mwanda>
On Mon, Mar 19, 2018 at 11:08:37PM -0400, Martin K. Petersen wrote:
>
> Dan,
>
> > The scsi_host_put() function frees "pHba" and then we dereference it on
> > the next line when we do "scsi_host_put(pHba->host);".
>
> Applied to 4.17/scsi-queue, thank you.
This fix is broken! adpt_i2o_delete_hba references pHba->host as well.
Instead we need a local variable for the host. Fix below:
---
From 701440055539c0f72a3179d85a44bd59d45a7d4b Mon Sep 17 00:00:00 2001
From: Christoph Hellwig <hch@lst.de>
Date: Tue, 20 Mar 2018 09:40:44 +0100
Subject: dpt_i2o: fix use after free in adpt_release for real
Fixes: 7bec5bed ("scsi: dpt_i2o: use after free in adpt_release()")
adpt_i2o_delete_hba still references the host.
Signed-off-by: Christoph Hellwig <hch@lst.de>
---
drivers/scsi/dpt_i2o.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/scsi/dpt_i2o.c b/drivers/scsi/dpt_i2o.c
index 0f30792d74c4..35d45903ed2e 100644
--- a/drivers/scsi/dpt_i2o.c
+++ b/drivers/scsi/dpt_i2o.c
@@ -304,10 +304,12 @@ static int adpt_detect(struct scsi_host_template* sht)
static void adpt_release(adpt_hba *pHba)
{
- scsi_remove_host(pHba->host);
+ struct Scsi_Host *shost = pHba->host;
+
+ scsi_remove_host(shost);
// adpt_i2o_quiesce_hba(pHba);
- scsi_host_put(pHba->host);
adpt_i2o_delete_hba(pHba);
+ scsi_host_put(shost);
}
--
2.14.2
next prev parent reply other threads:[~2018-03-20 8:42 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-19 10:33 [PATCH 1/2] scsi: dpt_i2o: use after free in adpt_release() Dan Carpenter
2018-03-20 3:08 ` Martin K. Petersen
2018-03-20 8:42 ` Christoph Hellwig [this message]
2018-03-20 9:58 ` Dan Carpenter
2018-03-21 22:37 ` Martin K. Petersen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180320084208.GA16215@lst.de \
--to=hch@lst.de \
--cc=kernel-janitors@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.