Message ID | 20220303015115.459778-1-niejianglei2021@163.com (mailing list archive) |
---|---|
State | Accepted |
Headers | show |
Series | scsi: libfc: Fix use after free in fc_exch_abts_resp() | expand |
On 3/3/22 02:51, Jianglei Nie wrote: > fc_exch_release(ep) will decrease the ep's reference count. When the > reference count reaches zero, it is freed. But ep is still used in the > following code, which will lead to a use after free. > > We should return the function after the call of fc_exch_release() to > avoid use after free. > > Signed-off-by: Jianglei Nie <niejianglei2021@163.com> > --- > drivers/scsi/libfc/fc_exch.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/drivers/scsi/libfc/fc_exch.c b/drivers/scsi/libfc/fc_exch.c > index 841000445b9a..aa223db4cf53 100644 > --- a/drivers/scsi/libfc/fc_exch.c > +++ b/drivers/scsi/libfc/fc_exch.c > @@ -1701,6 +1701,7 @@ static void fc_exch_abts_resp(struct fc_exch *ep, struct fc_frame *fp) > if (cancel_delayed_work_sync(&ep->timeout_work)) { > FC_EXCH_DBG(ep, "Exchange timer canceled due to ABTS response\n"); > fc_exch_release(ep); /* release from pending timer hold */ > + return; > } > > spin_lock_bh(&ep->ex_lock); Reviewed-by: Hannes Reinecke <hare@suse.de> Cheers, Hannes
Jianglei, > fc_exch_release(ep) will decrease the ep's reference count. When the > reference count reaches zero, it is freed. But ep is still used in the > following code, which will lead to a use after free. Applied to 5.18/scsi-staging, thanks!
On Thu, 3 Mar 2022 09:51:15 +0800, Jianglei Nie wrote: > fc_exch_release(ep) will decrease the ep's reference count. When the > reference count reaches zero, it is freed. But ep is still used in the > following code, which will lead to a use after free. > > We should return the function after the call of fc_exch_release() to > avoid use after free. > > [...] Applied to 5.18/scsi-queue, thanks! [1/1] scsi: libfc: Fix use after free in fc_exch_abts_resp() https://git.kernel.org/mkp/scsi/c/271add11994b
diff --git a/drivers/scsi/libfc/fc_exch.c b/drivers/scsi/libfc/fc_exch.c index 841000445b9a..aa223db4cf53 100644 --- a/drivers/scsi/libfc/fc_exch.c +++ b/drivers/scsi/libfc/fc_exch.c @@ -1701,6 +1701,7 @@ static void fc_exch_abts_resp(struct fc_exch *ep, struct fc_frame *fp) if (cancel_delayed_work_sync(&ep->timeout_work)) { FC_EXCH_DBG(ep, "Exchange timer canceled due to ABTS response\n"); fc_exch_release(ep); /* release from pending timer hold */ + return; } spin_lock_bh(&ep->ex_lock);
fc_exch_release(ep) will decrease the ep's reference count. When the reference count reaches zero, it is freed. But ep is still used in the following code, which will lead to a use after free. We should return the function after the call of fc_exch_release() to avoid use after free. Signed-off-by: Jianglei Nie <niejianglei2021@163.com> --- drivers/scsi/libfc/fc_exch.c | 1 + 1 file changed, 1 insertion(+)