From mboxrd@z Thu Jan 1 00:00:00 1970 From: Sebastian Herbszt Subject: Re: [PATCH] lpfc: Fix possible use-after-free and double free in lpfc_mbx_cmpl_rdp_page_a2() Date: Wed, 19 Aug 2015 00:27:51 +0200 Message-ID: <20150819002751.00000f06@localhost> References: <1439809382-32419-1-git-send-email-jthumshirn@suse.de> <20150817232634.00006d80@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Return-path: Received: from mout.gmx.net ([212.227.17.20]:54687 "EHLO mout.gmx.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751465AbbHRW2U (ORCPT ); Tue, 18 Aug 2015 18:28:20 -0400 In-Reply-To: Sender: linux-scsi-owner@vger.kernel.org List-Id: linux-scsi@vger.kernel.org To: Johannes Thumshirn , James Smart , Dick Kennedy Cc: "James E.J. Bottomley" , linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org, Colin King , Sebastian Herbszt Johannes Thumshirn wrote: > Sebastian Herbszt writes: > > > Johannes Thumshirn wrote: > >> If the bf_get() call in lpfc_mbx_cmpl_rdp_page_a2() does succeeds, execution > >> continues normally and mp gets kfree()d. > >> > >> If the subsequent call to lpfc_sli_issue_mbox() fails execution jumps to the > >> error label where lpfc_mbuf_free() is called with mp->virt and mp->phys as > >> function arguments. This is the use after free. Following the use after free mp > >> gets kfree()d again which is a double free. > > > > A similar patch was posted by Colin Ian King on 2015-07-31 [1]. > > > > [1] http://marc.info/?l=linux-scsi&m=143835937206204&w=2 > > OK, > > Is it already in James' tree (haven't checked)? The problematic code was > merged for 4.2-rc1 so if the fix (Collin's or mine I don't care) could go > in while we're still in the rc phase, we could avoid all that stable > circus. > > Thanks for digging this out. > > Byte, > Johannes It is not yet in scsi.git. James S., Dick, which patch do you prefer? Sebastian