From patchwork Mon Mar 19 10:34:01 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dan Carpenter X-Patchwork-Id: 10292083 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id D2356602C2 for ; Mon, 19 Mar 2018 10:36:19 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id BEC7D291BE for ; Mon, 19 Mar 2018 10:36:19 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id B33B4291FF; Mon, 19 Mar 2018 10:36:19 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, RCVD_IN_DNSWL_HI, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 817BB291BE for ; Mon, 19 Mar 2018 10:36:18 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932541AbeCSKgQ (ORCPT ); Mon, 19 Mar 2018 06:36:16 -0400 Received: from userp2120.oracle.com ([156.151.31.85]:39938 "EHLO userp2120.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755392AbeCSKgP (ORCPT ); Mon, 19 Mar 2018 06:36:15 -0400 Received: from pps.filterd (userp2120.oracle.com [127.0.0.1]) by userp2120.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w2JAOxv4075810; Mon, 19 Mar 2018 10:34:11 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=date : from : to : cc : subject : message-id : mime-version : content-type; s=corp-2017-10-26; bh=M35JBO9neseBsc3e3XSAg3JI4wuhp9G1vl/tofCeGYQ=; b=OhU5EPTljhX/xJBje+1P2uN9h6ZPENOWrNBZArJIZUgVUMQ0d+UZA3KN37gdhUHilzN/ O8SKM1obaysTWRyOWvITpNdq4yhOutosynNfsety2M4+fTseX/Dtq/DR8ECxAw+8rloQ PjgtgFwpmtbs3O1BG8f0qh3IrPoTKwyFeosz8jgao6DKnmBmSye9JC55j/g0SThevatA VcK9Rf6/FiQ1AucTSTAiIEqHkcyyHibHfPHFNx425RArSa1LcsHTU6NGWu/77NfZ2JnT mBKRr/5wdAbqiyvkjA/YpClag3jyadaw+B0RsyBjTVjKjfjeSuKvQpreGl1rjsXD8H12 uA== Received: from aserv0022.oracle.com (aserv0022.oracle.com [141.146.126.234]) by userp2120.oracle.com with ESMTP id 2gtbea812p-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 19 Mar 2018 10:34:11 +0000 Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by aserv0022.oracle.com (8.14.4/8.14.4) with ESMTP id w2JAYAuF003604 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 19 Mar 2018 10:34:10 GMT Received: from abhmp0003.oracle.com (abhmp0003.oracle.com [141.146.116.9]) by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id w2JAY9PE012216; Mon, 19 Mar 2018 10:34:09 GMT Received: from mwanda (/197.254.35.146) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 19 Mar 2018 03:34:09 -0700 Date: Mon, 19 Mar 2018 13:34:01 +0300 From: Dan Carpenter To: Adaptec OEM Raid Solutions Cc: "James E.J. Bottomley" , "Martin K. Petersen" , linux-scsi@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: [PATCH 2/2] scsi: dpt_i2o: use after free in __adpt_reset() Message-ID: <20180319103401.GB8543@mwanda> MIME-Version: 1.0 Content-Disposition: inline X-Mailer: git-send-email haha only kidding User-Agent: Mutt/1.9.4 (2018-02-28) X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=8836 signatures=668693 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=944 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1803190007 Sender: linux-scsi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP In __adpt_reset() the problem is that adpt_hba_reset() frees "pHba" on error but we dereference it to print the name in the error message. Signed-off-by: Dan Carpenter diff --git a/drivers/scsi/dpt_i2o.c b/drivers/scsi/dpt_i2o.c index 3c667b23a801..ac2f40d9963b 100644 --- a/drivers/scsi/dpt_i2o.c +++ b/drivers/scsi/dpt_i2o.c @@ -797,14 +797,17 @@ static int __adpt_reset(struct scsi_cmnd* cmd) { adpt_hba* pHba; int rcode; + char name[32]; + pHba = (adpt_hba*)cmd->device->host->hostdata[0]; - printk(KERN_WARNING"%s: Hba Reset: scsi id %d: tid: %d\n",pHba->name,cmd->device->channel,pHba->channel[cmd->device->channel].tid ); + strncpy(name, pHba->name, sizeof(name)); + printk(KERN_WARNING"%s: Hba Reset: scsi id %d: tid: %d\n", name, cmd->device->channel, pHba->channel[cmd->device->channel].tid); rcode = adpt_hba_reset(pHba); if(rcode == 0){ - printk(KERN_WARNING"%s: HBA reset complete\n",pHba->name); + printk(KERN_WARNING"%s: HBA reset complete\n", name); return SUCCESS; } else { - printk(KERN_WARNING"%s: HBA reset failed (%x)\n",pHba->name, rcode); + printk(KERN_WARNING"%s: HBA reset failed (%x)\n", name, rcode); return FAILED; } }