* [PATCH] scsi: lpfc: Fix a use after free in lpfc_nvme_unsol_ls_handler()
@ 2020-05-12 18:19 Dan Carpenter
2020-05-14 17:03 ` James Smart
2020-05-15 0:21 ` Martin K. Petersen
0 siblings, 2 replies; 14+ messages in thread
From: Dan Carpenter @ 2020-05-12 18:19 UTC (permalink / raw)
To: James Smart
Cc: Dick Kennedy, James E.J. Bottomley, Martin K. Petersen,
Jens Axboe, Hannes Reinecke, Paul Ely, linux-scsi,
kernel-janitors
The "axchg" pointer is dereferenced when we call the
lpfc_nvme_unsol_ls_issue_abort() function. It can't be either freed or
NULL.
Fixes: 3a8070c567aa ("lpfc: Refactor NVME LS receive handling")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
drivers/scsi/lpfc/lpfc_sli.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c
index 38889cb6e1996..fcf51b4192d66 100644
--- a/drivers/scsi/lpfc/lpfc_sli.c
+++ b/drivers/scsi/lpfc/lpfc_sli.c
@@ -2895,14 +2895,14 @@ lpfc_nvme_unsol_ls_handler(struct lpfc_hba *phba, struct lpfc_iocbq *piocb)
(phba->nvmet_support) ? "T" : "I", ret);
out_fail:
- kfree(axchg);
-
/* recycle receive buffer */
lpfc_in_buf_free(phba, &nvmebuf->dbuf);
/* If start of new exchange, abort it */
- if (fctl & FC_FC_FIRST_SEQ && !(fctl & FC_FC_EX_CTX))
+ if (axchg && (fctl & FC_FC_FIRST_SEQ) && !(fctl & FC_FC_EX_CTX))
lpfc_nvme_unsol_ls_issue_abort(phba, axchg, sid, oxid);
+
+ kfree(axchg);
}
/**
--
2.26.2
^ permalink raw reply related [flat|nested] 14+ messages in thread* Re: [PATCH] scsi: lpfc: Fix a use after free in lpfc_nvme_unsol_ls_handler()
2020-05-12 18:19 [PATCH] scsi: lpfc: Fix a use after free in lpfc_nvme_unsol_ls_handler() Dan Carpenter
@ 2020-05-14 17:03 ` James Smart
2020-05-15 0:21 ` Martin K. Petersen
1 sibling, 0 replies; 14+ messages in thread
From: James Smart @ 2020-05-14 17:03 UTC (permalink / raw)
To: Dan Carpenter
Cc: Dick Kennedy, James E.J. Bottomley, Martin K. Petersen,
Jens Axboe, Hannes Reinecke, Paul Ely, linux-scsi,
kernel-janitors
On 5/12/2020 11:19 AM, Dan Carpenter wrote:
> The "axchg" pointer is dereferenced when we call the
> lpfc_nvme_unsol_ls_issue_abort() function. It can't be either freed or
> NULL.
>
> Fixes: 3a8070c567aa ("lpfc: Refactor NVME LS receive handling")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> drivers/scsi/lpfc/lpfc_sli.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c
> index 38889cb6e1996..fcf51b4192d66 100644
> --- a/drivers/scsi/lpfc/lpfc_sli.c
> +++ b/drivers/scsi/lpfc/lpfc_sli.c
> @@ -2895,14 +2895,14 @@ lpfc_nvme_unsol_ls_handler(struct lpfc_hba *phba, struct lpfc_iocbq *piocb)
> (phba->nvmet_support) ? "T" : "I", ret);
>
> out_fail:
> - kfree(axchg);
> -
> /* recycle receive buffer */
> lpfc_in_buf_free(phba, &nvmebuf->dbuf);
>
> /* If start of new exchange, abort it */
> - if (fctl & FC_FC_FIRST_SEQ && !(fctl & FC_FC_EX_CTX))
> + if (axchg && (fctl & FC_FC_FIRST_SEQ) && !(fctl & FC_FC_EX_CTX))
> lpfc_nvme_unsol_ls_issue_abort(phba, axchg, sid, oxid);
> +
> + kfree(axchg);
> }
>
> /**
Reviewed-by: James Smart <james.smart@broadcom.com>
Thank You
-- james
^ permalink raw reply [flat|nested] 14+ messages in thread* Re: [PATCH] scsi: lpfc: Fix a use after free in lpfc_nvme_unsol_ls_handler()
2020-05-12 18:19 [PATCH] scsi: lpfc: Fix a use after free in lpfc_nvme_unsol_ls_handler() Dan Carpenter
2020-05-14 17:03 ` James Smart
@ 2020-05-15 0:21 ` Martin K. Petersen
2020-05-15 10:19 ` [PATCH resend] " Dan Carpenter
1 sibling, 1 reply; 14+ messages in thread
From: Martin K. Petersen @ 2020-05-15 0:21 UTC (permalink / raw)
To: Dan Carpenter
Cc: James Smart, Dick Kennedy, James E.J. Bottomley,
Martin K. Petersen, Jens Axboe, Hannes Reinecke, Paul Ely,
linux-scsi, kernel-janitors, Christoph Hellwig
Dan,
> The "axchg" pointer is dereferenced when we call the
> lpfc_nvme_unsol_ls_issue_abort() function. It can't be either freed or
> NULL.
>
> Fixes: 3a8070c567aa ("lpfc: Refactor NVME LS receive handling")
This fix needs to go through the NVMe tree.
--
Martin K. Petersen Oracle Linux Engineering
^ permalink raw reply [flat|nested] 14+ messages in thread* [PATCH resend] scsi: lpfc: Fix a use after free in lpfc_nvme_unsol_ls_handler()
2020-05-15 0:21 ` Martin K. Petersen
@ 2020-05-15 10:19 ` Dan Carpenter
2020-05-20 16:55 ` Christoph Hellwig
0 siblings, 1 reply; 14+ messages in thread
From: Dan Carpenter @ 2020-05-15 10:19 UTC (permalink / raw)
To: James Smart, linux-nvme
Cc: Dick Kennedy, James E.J. Bottomley, Martin K. Petersen,
Jens Axboe, Hannes Reinecke, Paul Ely, linux-scsi,
kernel-janitors
The "axchg" pointer is dereferenced when we call the
lpfc_nvme_unsol_ls_issue_abort() function. It can't be either freed or
NULL.
Fixes: 3a8070c567aa ("lpfc: Refactor NVME LS receive handling")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: James Smart <james.smart@broadcom.com>
---
Resending to the NVMe list. Added James' R-b.
Is there a way we could update MAINTAINERS so that ./get_maintainer.pl
send these to the correct list?
drivers/scsi/lpfc/lpfc_sli.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c
index 38889cb6e1996..fcf51b4192d66 100644
--- a/drivers/scsi/lpfc/lpfc_sli.c
+++ b/drivers/scsi/lpfc/lpfc_sli.c
@@ -2895,14 +2895,14 @@ lpfc_nvme_unsol_ls_handler(struct lpfc_hba *phba, struct lpfc_iocbq *piocb)
(phba->nvmet_support) ? "T" : "I", ret);
out_fail:
- kfree(axchg);
-
/* recycle receive buffer */
lpfc_in_buf_free(phba, &nvmebuf->dbuf);
/* If start of new exchange, abort it */
- if (fctl & FC_FC_FIRST_SEQ && !(fctl & FC_FC_EX_CTX))
+ if (axchg && (fctl & FC_FC_FIRST_SEQ) && !(fctl & FC_FC_EX_CTX))
lpfc_nvme_unsol_ls_issue_abort(phba, axchg, sid, oxid);
+
+ kfree(axchg);
}
/**
--
2.26.2
^ permalink raw reply related [flat|nested] 14+ messages in thread* Re: [PATCH resend] scsi: lpfc: Fix a use after free in lpfc_nvme_unsol_ls_handler()
2020-05-15 10:19 ` [PATCH resend] " Dan Carpenter
@ 2020-05-20 16:55 ` Christoph Hellwig
2020-05-20 17:24 ` Dan Carpenter
0 siblings, 1 reply; 14+ messages in thread
From: Christoph Hellwig @ 2020-05-20 16:55 UTC (permalink / raw)
To: Dan Carpenter
Cc: James Smart, linux-nvme, Jens Axboe, Dick Kennedy, linux-scsi,
Martin K. Petersen, James E.J. Bottomley, kernel-janitors,
Paul Ely, Hannes Reinecke
James, can you review this patch?
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH resend] scsi: lpfc: Fix a use after free in lpfc_nvme_unsol_ls_handler()
2020-05-20 16:55 ` Christoph Hellwig
@ 2020-05-20 17:24 ` Dan Carpenter
2020-05-20 17:28 ` Christoph Hellwig
0 siblings, 1 reply; 14+ messages in thread
From: Dan Carpenter @ 2020-05-20 17:24 UTC (permalink / raw)
To: Christoph Hellwig
Cc: James Smart, linux-nvme, Jens Axboe, Dick Kennedy, linux-scsi,
Martin K. Petersen, James E.J. Bottomley, kernel-janitors,
Paul Ely, Hannes Reinecke
On Wed, May 20, 2020 at 09:55:57AM -0700, Christoph Hellwig wrote:
> James, can you review this patch?
He already reviewed it in a different thread. I copied his R-b tag.
regards,
dan carpenter
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH resend] scsi: lpfc: Fix a use after free in lpfc_nvme_unsol_ls_handler()
2020-05-20 17:24 ` Dan Carpenter
@ 2020-05-20 17:28 ` Christoph Hellwig
2020-05-20 17:33 ` Martin K. Petersen
0 siblings, 1 reply; 14+ messages in thread
From: Christoph Hellwig @ 2020-05-20 17:28 UTC (permalink / raw)
To: Dan Carpenter
Cc: Christoph Hellwig, James Smart, linux-nvme, Jens Axboe,
Dick Kennedy, linux-scsi, Martin K. Petersen,
James E.J. Bottomley, kernel-janitors, Paul Ely, Hannes Reinecke
On Wed, May 20, 2020 at 08:24:33PM +0300, Dan Carpenter wrote:
> On Wed, May 20, 2020 at 09:55:57AM -0700, Christoph Hellwig wrote:
> > James, can you review this patch?
>
> He already reviewed it in a different thread. I copied his R-b tag.
James, should this go into the nvme or scsi tree?
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH resend] scsi: lpfc: Fix a use after free in lpfc_nvme_unsol_ls_handler()
2020-05-20 17:28 ` Christoph Hellwig
@ 2020-05-20 17:33 ` Martin K. Petersen
2020-05-20 17:37 ` Christoph Hellwig
0 siblings, 1 reply; 14+ messages in thread
From: Martin K. Petersen @ 2020-05-20 17:33 UTC (permalink / raw)
To: Christoph Hellwig
Cc: Dan Carpenter, James Smart, linux-nvme, Jens Axboe, Dick Kennedy,
linux-scsi, Martin K. Petersen, James E.J. Bottomley,
kernel-janitors, Paul Ely, Hannes Reinecke
Christoph,
> On Wed, May 20, 2020 at 08:24:33PM +0300, Dan Carpenter wrote:
>> On Wed, May 20, 2020 at 09:55:57AM -0700, Christoph Hellwig wrote:
>> > James, can you review this patch?
>>
>> He already reviewed it in a different thread. I copied his R-b tag.
>
> James, should this go into the nvme or scsi tree?
The offending patch is in the nvme tree so I think you should take
it. Otherwise I'll pick it up in 5.8/scsi-fixes.
--
Martin K. Petersen Oracle Linux Engineering
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH resend] scsi: lpfc: Fix a use after free in lpfc_nvme_unsol_ls_handler()
2020-05-20 17:33 ` Martin K. Petersen
@ 2020-05-20 17:37 ` Christoph Hellwig
2020-05-20 17:39 ` Martin K. Petersen
0 siblings, 1 reply; 14+ messages in thread
From: Christoph Hellwig @ 2020-05-20 17:37 UTC (permalink / raw)
To: Martin K. Petersen
Cc: Christoph Hellwig, Dan Carpenter, James Smart, linux-nvme,
Jens Axboe, Dick Kennedy, linux-scsi, James E.J. Bottomley,
kernel-janitors, Paul Ely, Hannes Reinecke
On Wed, May 20, 2020 at 01:33:12PM -0400, Martin K. Petersen wrote:
>
> Christoph,
>
> > On Wed, May 20, 2020 at 08:24:33PM +0300, Dan Carpenter wrote:
> >> On Wed, May 20, 2020 at 09:55:57AM -0700, Christoph Hellwig wrote:
> >> > James, can you review this patch?
> >>
> >> He already reviewed it in a different thread. I copied his R-b tag.
> >
> > James, should this go into the nvme or scsi tree?
>
> The offending patch is in the nvme tree so I think you should take
> it. Otherwise I'll pick it up in 5.8/scsi-fixes.
I'll pick it up. Can you give me an ACK for it to show Jens you are
ok with that?
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH resend] scsi: lpfc: Fix a use after free in lpfc_nvme_unsol_ls_handler()
2020-05-20 17:37 ` Christoph Hellwig
@ 2020-05-20 17:39 ` Martin K. Petersen
2020-05-20 17:48 ` Christoph Hellwig
0 siblings, 1 reply; 14+ messages in thread
From: Martin K. Petersen @ 2020-05-20 17:39 UTC (permalink / raw)
To: Christoph Hellwig
Cc: Martin K. Petersen, Dan Carpenter, James Smart, linux-nvme,
Jens Axboe, Dick Kennedy, linux-scsi, James E.J. Bottomley,
kernel-janitors, Paul Ely, Hannes Reinecke
Christoph,
> I'll pick it up. Can you give me an ACK for it to show Jens you are
> ok with that?
Acked-by: Martin K. Petersen <martin.petersen@oracle.com>
--
Martin K. Petersen Oracle Linux Engineering
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH resend] scsi: lpfc: Fix a use after free in lpfc_nvme_unsol_ls_handler()
2020-05-20 17:39 ` Martin K. Petersen
@ 2020-05-20 17:48 ` Christoph Hellwig
2020-05-20 17:51 ` James Smart
0 siblings, 1 reply; 14+ messages in thread
From: Christoph Hellwig @ 2020-05-20 17:48 UTC (permalink / raw)
To: Martin K. Petersen
Cc: Christoph Hellwig, Jens Axboe, Dick Kennedy, linux-scsi,
James E.J. Bottomley, kernel-janitors, James Smart, linux-nvme,
Paul Ely, Hannes Reinecke, Dan Carpenter
On Wed, May 20, 2020 at 01:39:55PM -0400, Martin K. Petersen wrote:
>
> Christoph,
>
> > I'll pick it up. Can you give me an ACK for it to show Jens you are
> > ok with that?
>
> Acked-by: Martin K. Petersen <martin.petersen@oracle.com>
Thanks,
applied to nvme-5.8.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH resend] scsi: lpfc: Fix a use after free in lpfc_nvme_unsol_ls_handler()
2020-05-20 17:48 ` Christoph Hellwig
@ 2020-05-20 17:51 ` James Smart
2020-05-20 17:57 ` Christoph Hellwig
2020-05-20 18:01 ` Dan Carpenter
0 siblings, 2 replies; 14+ messages in thread
From: James Smart @ 2020-05-20 17:51 UTC (permalink / raw)
To: Christoph Hellwig, Martin K. Petersen
Cc: Jens Axboe, Dick Kennedy, linux-scsi, James E.J. Bottomley,
kernel-janitors, linux-nvme, Paul Ely, Hannes Reinecke,
Dan Carpenter
On 5/20/2020 10:48 AM, Christoph Hellwig wrote:
> On Wed, May 20, 2020 at 01:39:55PM -0400, Martin K. Petersen wrote:
>> Christoph,
>>
>>> I'll pick it up. Can you give me an ACK for it to show Jens you are
>>> ok with that?
>> Acked-by: Martin K. Petersen <martin.petersen@oracle.com>
> Thanks,
>
> applied to nvme-5.8.
Guess you didn't see Dan's response - we had replied, and Dick rejected
it. Dick has created a new patch that I'll be posting shortly.
-- james
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH resend] scsi: lpfc: Fix a use after free in lpfc_nvme_unsol_ls_handler()
2020-05-20 17:51 ` James Smart
@ 2020-05-20 17:57 ` Christoph Hellwig
2020-05-20 18:01 ` Dan Carpenter
1 sibling, 0 replies; 14+ messages in thread
From: Christoph Hellwig @ 2020-05-20 17:57 UTC (permalink / raw)
To: James Smart
Cc: Christoph Hellwig, Martin K. Petersen, Jens Axboe, Dick Kennedy,
linux-scsi, James E.J. Bottomley, kernel-janitors, linux-nvme,
Paul Ely, Hannes Reinecke, Dan Carpenter
On Wed, May 20, 2020 at 10:51:48AM -0700, James Smart wrote:
> On 5/20/2020 10:48 AM, Christoph Hellwig wrote:
> > On Wed, May 20, 2020 at 01:39:55PM -0400, Martin K. Petersen wrote:
> > > Christoph,
> > >
> > > > I'll pick it up. Can you give me an ACK for it to show Jens you are
> > > > ok with that?
> > > Acked-by: Martin K. Petersen <martin.petersen@oracle.com>
> > Thanks,
> >
> > applied to nvme-5.8.
>
> Guess you didn't see Dan's response - we had replied, and Dick rejected it.
> Dick has created a new patch that I'll be posting shortly.
Oh well, I'll pull it again then.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH resend] scsi: lpfc: Fix a use after free in lpfc_nvme_unsol_ls_handler()
2020-05-20 17:51 ` James Smart
2020-05-20 17:57 ` Christoph Hellwig
@ 2020-05-20 18:01 ` Dan Carpenter
1 sibling, 0 replies; 14+ messages in thread
From: Dan Carpenter @ 2020-05-20 18:01 UTC (permalink / raw)
To: James Smart
Cc: Christoph Hellwig, Martin K. Petersen, Jens Axboe, Dick Kennedy,
linux-scsi, James E.J. Bottomley, kernel-janitors, linux-nvme,
Paul Ely, Hannes Reinecke
On Wed, May 20, 2020 at 10:51:48AM -0700, James Smart wrote:
> On 5/20/2020 10:48 AM, Christoph Hellwig wrote:
> > On Wed, May 20, 2020 at 01:39:55PM -0400, Martin K. Petersen wrote:
> > > Christoph,
> > >
> > > > I'll pick it up. Can you give me an ACK for it to show Jens you are
> > > > ok with that?
> > > Acked-by: Martin K. Petersen <martin.petersen@oracle.com>
> > Thanks,
> >
> > applied to nvme-5.8.
>
> Guess you didn't see Dan's response - we had replied, and Dick rejected it.
> Dick has created a new patch that I'll be posting shortly.
Gar.... I'm sorry I have two mail boxes, one for kernel-janitors and
one for my own email address. I guess his email never made it to the
lists. I did get it on my other email box though.
regards,
dan carpenter
^ permalink raw reply [flat|nested] 14+ messages in thread
end of thread, other threads:[~2020-05-20 18:02 UTC | newest]
Thread overview: 14+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-05-12 18:19 [PATCH] scsi: lpfc: Fix a use after free in lpfc_nvme_unsol_ls_handler() Dan Carpenter
2020-05-14 17:03 ` James Smart
2020-05-15 0:21 ` Martin K. Petersen
2020-05-15 10:19 ` [PATCH resend] " Dan Carpenter
2020-05-20 16:55 ` Christoph Hellwig
2020-05-20 17:24 ` Dan Carpenter
2020-05-20 17:28 ` Christoph Hellwig
2020-05-20 17:33 ` Martin K. Petersen
2020-05-20 17:37 ` Christoph Hellwig
2020-05-20 17:39 ` Martin K. Petersen
2020-05-20 17:48 ` Christoph Hellwig
2020-05-20 17:51 ` James Smart
2020-05-20 17:57 ` Christoph Hellwig
2020-05-20 18:01 ` Dan Carpenter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).