From patchwork Mon Aug 31 20:48:15 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Smart X-Patchwork-Id: 7101581 Return-Path: X-Original-To: patchwork-linux-scsi@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id 6BCF9BEEC1 for ; Mon, 31 Aug 2015 20:48:49 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 8AACB206A4 for ; Mon, 31 Aug 2015 20:48:48 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id AF5D2206A3 for ; Mon, 31 Aug 2015 20:48:47 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753306AbbHaUsp (ORCPT ); Mon, 31 Aug 2015 16:48:45 -0400 Received: from mail-qk0-f172.google.com ([209.85.220.172]:35073 "EHLO mail-qk0-f172.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753217AbbHaUsb (ORCPT ); Mon, 31 Aug 2015 16:48:31 -0400 Received: by qkcj187 with SMTP id j187so16803854qkc.2 for ; Mon, 31 Aug 2015 13:48:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=avagotech.com; s=google; h=date:from:to:subject:message-id:user-agent:mime-version :content-type:content-transfer-encoding; bh=5bhy3Y5IJBtjSc4m4lt8WHgcWwr7U13GZ5T0wg8Pfeo=; b=o7uDK5sxW2UGjslfZ0ZP2OfmiX+K+SyBB7jqg9NVfX44rhBTN6uo+FKwTx3kfP4JuU hWmghFm3nCEGOmTMRlh18DTJryi/9dfDDq5xUd9UCCaHchDywxueOpdmafRf9x40b/gz VitDdVletntFeouvFFQhOoK1BAcQAyZ2E6EyE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:date:from:to:subject:message-id:user-agent :mime-version:content-type:content-transfer-encoding; bh=5bhy3Y5IJBtjSc4m4lt8WHgcWwr7U13GZ5T0wg8Pfeo=; b=GvnVN2QDGfb708vDo0f0VGqO1RKl8m9RFwZLXyglnuleuku/FOHWLLryAoz5JZUfF7 kUhBALd404Zu12r4it66NwoFhZ1TRjpw1oT8FRU56N2mv1ogeSHhesxWbgz092ueW8QW zjUy6GbG9ErL8cAowALc7zq+owB0WlzPOoOt364w33lGq6WOC0QtPkltgzS+3ALDCT1M B6CBqTowi89okK+iz/rV4p15o6+bIumTY4N+Ci3ttZ4ECE65KlcE10dWaGJg+b9ckKVG RK5tLBeFk/3Wvemcs/CIEM1dZhGFvnP8J5OXyOOeqvXCPwFRZDZUjR6KYHKFkAGok2yR +oXQ== X-Gm-Message-State: ALoCoQkmfRRc7LrmW44uJIAoQEV0s0nUTO88d6hpKfv+zU3/IDmBU08QVNP/GyKBinnchZoY/6Wi X-Received: by 10.55.26.4 with SMTP id a4mr13041200qka.8.1441054111203; Mon, 31 Aug 2015 13:48:31 -0700 (PDT) Received: from myfc17 (c-75-67-235-135.hsd1.nh.comcast.net. [75.67.235.135]) by smtp.gmail.com with ESMTPSA id a73sm9521084qkj.27.2015.08.31.13.48.30 for (version=TLSv1 cipher=RC4-SHA bits=128/128); Mon, 31 Aug 2015 13:48:30 -0700 (PDT) Date: Mon, 31 Aug 2015 16:48:15 -0400 From: james.smart@avagotech.com (James Smart) To: linux-scsi@vger.kernel.org Subject: [PATCH 08/14] lpfc: Fix possible use-after-free and double free in lpfc_mbx_cmpl_rdp_page_a2() Message-ID: <55e4bd8f.66pL9YWWXA/xjdG0%james.smart@avagotech.com> User-Agent: Heirloom mailx 12.5 7/5/10 MIME-Version: 1.0 Sender: linux-scsi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,T_DKIM_INVALID,T_RP_MATCHES_RCVD,UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Johannes Thumshirn If the bf_get() call in lpfc_mbx_cmpl_rdp_page_a2() does succeeds, execution continues normally and mp gets kfree()d. If the subsequent call to lpfc_sli_issue_mbox() fails execution jumps to the error label where lpfc_mbuf_free() is called with mp->virt and mp->phys as function arguments. This is the use after free. Following the use after free mp gets kfree()d again which is a double free. Signed-off-by: Johannes Thumshirn Signed-off-by: James Smart Reviewed-by: Sebastian Herbszt Reviewed-by: Hannes Reinecke --- drivers/scsi/lpfc/lpfc_mbox.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/scsi/lpfc/lpfc_mbox.c b/drivers/scsi/lpfc/lpfc_mbox.c index 723e110..18838ea 100644 --- a/drivers/scsi/lpfc/lpfc_mbox.c +++ b/drivers/scsi/lpfc/lpfc_mbox.c @@ -2276,7 +2276,7 @@ lpfc_mbx_cmpl_rdp_page_a2(struct lpfc_hba *phba, LPFC_MBOXQ_t *mbox) (struct lpfc_rdp_context *)(mbox->context2); if (bf_get(lpfc_mqe_status, &mbox->u.mqe)) - goto error; + goto error_mbuf_free; lpfc_sli_bemem_bcopy(mp->virt, &rdp_context->page_a2, DMP_SFF_PAGE_A2_SIZE); @@ -2291,13 +2291,14 @@ lpfc_mbx_cmpl_rdp_page_a2(struct lpfc_hba *phba, LPFC_MBOXQ_t *mbox) mbox->mbox_cmpl = lpfc_mbx_cmpl_rdp_link_stat; mbox->context2 = (struct lpfc_rdp_context *) rdp_context; if (lpfc_sli_issue_mbox(phba, mbox, MBX_NOWAIT) == MBX_NOT_FINISHED) - goto error; + goto error_cmd_free; return; -error: +error_mbuf_free: lpfc_mbuf_free(phba, mp->virt, mp->phys); kfree(mp); +error_cmd_free: lpfc_sli4_mbox_cmd_free(phba, mbox); rdp_context->cmpl(phba, rdp_context, FAILURE); }