From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Bart Van Assche <bart.vanassche@sandisk.com>,
Vasu Dev <vasu.dev@intel.com>,
James Bottomley <JBottomley@Odin.com>
Subject: [PATCH 3.14 12/18] libfc: Fix fc_exch_recv_req() error path
Date: Fri, 11 Sep 2015 15:49:30 -0700 [thread overview]
Message-ID: <20150911224628.876867040@linuxfoundation.org> (raw)
In-Reply-To: <20150911224628.222793657@linuxfoundation.org>
3.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bart Van Assche <bart.vanassche@sandisk.com>
commit f6979adeaab578f8ca14fdd32b06ddee0d9d3314 upstream.
Due to patch "libfc: Do not invoke the response handler after
fc_exch_done()" (commit ID 7030fd62) the lport_recv() call
in fc_exch_recv_req() is passed a dangling pointer. Avoid this
by moving the fc_frame_free() call from fc_invoke_resp() to its
callers. This patch fixes the following crash:
general protection fault: 0000 [#3] PREEMPT SMP
RIP: fc_lport_recv_req+0x72/0x280 [libfc]
Call Trace:
fc_exch_recv+0x642/0xde0 [libfc]
fcoe_percpu_receive_thread+0x46a/0x5ed [fcoe]
kthread+0x10a/0x120
ret_from_fork+0x42/0x70
Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
Signed-off-by: Vasu Dev <vasu.dev@intel.com>
Signed-off-by: James Bottomley <JBottomley@Odin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/libfc/fc_exch.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/scsi/libfc/fc_exch.c
+++ b/drivers/scsi/libfc/fc_exch.c
@@ -733,8 +733,6 @@ static bool fc_invoke_resp(struct fc_exc
if (resp) {
resp(sp, fp, arg);
res = true;
- } else if (!IS_ERR(fp)) {
- fc_frame_free(fp);
}
spin_lock_bh(&ep->ex_lock);
@@ -1596,7 +1594,8 @@ static void fc_exch_recv_seq_resp(struct
* If new exch resp handler is valid then call that
* first.
*/
- fc_invoke_resp(ep, sp, fp);
+ if (!fc_invoke_resp(ep, sp, fp))
+ fc_frame_free(fp);
fc_exch_release(ep);
return;
@@ -1695,7 +1694,8 @@ static void fc_exch_abts_resp(struct fc_
fc_exch_hold(ep);
if (!rc)
fc_exch_delete(ep);
- fc_invoke_resp(ep, sp, fp);
+ if (!fc_invoke_resp(ep, sp, fp))
+ fc_frame_free(fp);
if (has_rec)
fc_exch_timer_set(ep, ep->r_a_tov);
fc_exch_release(ep);
next prev parent reply other threads:[~2015-09-11 22:49 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-09-11 22:49 [PATCH 3.14 00/18] 3.14.52-stable review Greg Kroah-Hartman
2015-09-11 22:49 ` [PATCH 3.14 01/18] ipc,sem: fix use after free on IPC_RMID after a task using same semaphore set exits Greg Kroah-Hartman
2015-09-11 22:49 ` [PATCH 3.14 02/18] ipc/sem.c: update/correct memory barriers Greg Kroah-Hartman
2015-09-11 22:49 ` [PATCH 3.14 03/18] mm/hwpoison: fix page refcount of unknown non LRU page Greg Kroah-Hartman
2015-09-11 22:49 ` [PATCH 3.14 05/18] perf: Fix fasync handling on inherited events Greg Kroah-Hartman
2015-09-11 22:49 ` [PATCH 3.14 06/18] perf: Fix PERF_EVENT_IOC_PERIOD migration race Greg Kroah-Hartman
2015-09-11 22:49 ` [PATCH 3.14 07/18] dm thin metadata: delete btrees when releasing metadata snapshot Greg Kroah-Hartman
2015-09-11 22:49 ` [PATCH 3.14 08/18] localmodconfig: Use Kbuild files too Greg Kroah-Hartman
2015-09-11 22:49 ` [PATCH 3.14 09/18] EDAC, ppc4xx: Access mci->csrows array elements properly Greg Kroah-Hartman
2015-09-11 22:49 ` [PATCH 3.14 10/18] drm/radeon: add new OLAND pci id Greg Kroah-Hartman
2015-09-11 22:49 ` [PATCH 3.14 11/18] drm/vmwgfx: Fix execbuf locking issues Greg Kroah-Hartman
2015-09-11 22:49 ` Greg Kroah-Hartman [this message]
2015-09-11 22:49 ` [PATCH 3.14 13/18] libfc: Fix fc_fcp_cleanup_each_cmd() Greg Kroah-Hartman
2015-09-11 22:49 ` [PATCH 3.14 14/18] regmap: regcache-rbtree: Clean new present bits on present bitmap resize Greg Kroah-Hartman
2015-09-11 22:49 ` [PATCH 3.14 15/18] crypto: caam - fix memory corruption in ahash_final_ctx Greg Kroah-Hartman
2015-09-11 22:49 ` [PATCH 3.14 16/18] arm64/mm: Remove hack in mmap randomize layout Greg Kroah-Hartman
2015-09-11 22:49 ` [PATCH 3.14 18/18] arm64: KVM: Fix host crash when injecting a fault into a 32bit guest Greg Kroah-Hartman
2015-09-12 1:08 ` [PATCH 3.14 00/18] 3.14.52-stable review Shuah Khan
2015-09-12 4:22 ` Guenter Roeck
2015-09-12 11:07 ` Sudip Mukherjee
2015-09-12 15:55 ` Greg Kroah-Hartman
2015-09-13 6:03 ` [PATCH] tty/vt: don't set font mappings on vc not supporting this Sudip Mukherjee
2015-09-21 1:40 ` Greg Kroah-Hartman
2015-09-21 4:58 ` Sudip Mukherjee
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150911224628.876867040@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=JBottomley@Odin.com \
--cc=bart.vanassche@sandisk.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=vasu.dev@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).