* [PATCH] snic: Fix use-after-free in case of a dma mapping error
@ 2016-06-23 12:37 Johannes Thumshirn
2016-06-23 15:07 ` Laurence Oberman
0 siblings, 1 reply; 2+ messages in thread
From: Johannes Thumshirn @ 2016-06-23 12:37 UTC (permalink / raw)
To: Martin K . Petersen, James Bottomley
Cc: Linux SCSI Mailinglist, Linux Kernel Mailinglist,
Narsimhulu Musini, Sesidhar Baddela, Johannes Thumshirn
If there is a dma mapping error snic kfree()s buf right before printing it.
Change the order to not accidently trip on memory that's not owned by us
anymore.
Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
---
drivers/scsi/snic/snic_disc.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/scsi/snic/snic_disc.c b/drivers/scsi/snic/snic_disc.c
index b0fefd6..b106596 100644
--- a/drivers/scsi/snic/snic_disc.c
+++ b/drivers/scsi/snic/snic_disc.c
@@ -113,11 +113,11 @@ snic_queue_report_tgt_req(struct snic *snic)
pa = pci_map_single(snic->pdev, buf, buf_len, PCI_DMA_FROMDEVICE);
if (pci_dma_mapping_error(snic->pdev, pa)) {
- kfree(buf);
- snic_req_free(snic, rqi);
SNIC_HOST_ERR(snic->shost,
"Rpt-tgt rspbuf %p: PCI DMA Mapping Failed\n",
buf);
+ kfree(buf);
+ snic_req_free(snic, rqi);
ret = -EINVAL;
goto error;
--
2.8.4
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] snic: Fix use-after-free in case of a dma mapping error
2016-06-23 12:37 [PATCH] snic: Fix use-after-free in case of a dma mapping error Johannes Thumshirn
@ 2016-06-23 15:07 ` Laurence Oberman
0 siblings, 0 replies; 2+ messages in thread
From: Laurence Oberman @ 2016-06-23 15:07 UTC (permalink / raw)
To: Johannes Thumshirn
Cc: Martin K . Petersen, James Bottomley, Linux SCSI Mailinglist,
Linux Kernel Mailinglist, Narsimhulu Musini, Sesidhar Baddela
----- Original Message -----
> From: "Johannes Thumshirn" <jthumshirn@suse.de>
> To: "Martin K . Petersen" <martin.petersen@oracle.com>, "James Bottomley" <jejb@linux.vnet.ibm.com>
> Cc: "Linux SCSI Mailinglist" <linux-scsi@vger.kernel.org>, "Linux Kernel Mailinglist" <linux-kernel@vger.kernel.org>,
> "Narsimhulu Musini" <nmusini@cisco.com>, "Sesidhar Baddela" <sebaddel@cisco.com>, "Johannes Thumshirn"
> <jthumshirn@suse.de>
> Sent: Thursday, June 23, 2016 8:37:20 AM
> Subject: [PATCH] snic: Fix use-after-free in case of a dma mapping error
>
> If there is a dma mapping error snic kfree()s buf right before printing it.
> Change the order to not accidently trip on memory that's not owned by us
> anymore.
>
> Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
> ---
> drivers/scsi/snic/snic_disc.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/scsi/snic/snic_disc.c b/drivers/scsi/snic/snic_disc.c
> index b0fefd6..b106596 100644
> --- a/drivers/scsi/snic/snic_disc.c
> +++ b/drivers/scsi/snic/snic_disc.c
> @@ -113,11 +113,11 @@ snic_queue_report_tgt_req(struct snic *snic)
>
> pa = pci_map_single(snic->pdev, buf, buf_len, PCI_DMA_FROMDEVICE);
> if (pci_dma_mapping_error(snic->pdev, pa)) {
> - kfree(buf);
> - snic_req_free(snic, rqi);
> SNIC_HOST_ERR(snic->shost,
> "Rpt-tgt rspbuf %p: PCI DMA Mapping Failed\n",
> buf);
> + kfree(buf);
> + snic_req_free(snic, rqi);
> ret = -EINVAL;
>
> goto error;
> --
> 2.8.4
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
Looks fine to me
Reviewed-by Laurence Oberman <loberman@redhat.com>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2016-06-23 15:07 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-06-23 12:37 [PATCH] snic: Fix use-after-free in case of a dma mapping error Johannes Thumshirn
2016-06-23 15:07 ` Laurence Oberman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).