Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751839AbbHQV0z (ORCPT <rfc822;w@1wt.eu>);
	Mon, 17 Aug 2015 17:26:55 -0400
Received: from mout.gmx.net ([212.227.17.22]:65350 "EHLO mout.gmx.net"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1751050AbbHQV0y (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Mon, 17 Aug 2015 17:26:54 -0400
Date: Mon, 17 Aug 2015 23:26:34 +0200
From: Sebastian Herbszt <herbszt@gmx.de>
To: Johannes Thumshirn <jthumshirn@suse.de>
Cc: James Smart <james.smart@avagotech.com>,
        Dick Kennedy <dick.kennedy@avagotech.com>,
        "James E.J. Bottomley" <JBottomley@odin.com>,
        linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org,
        Colin King <colin.king@canonical.com>,
        Sebastian Herbszt <herbszt@gmx.de>
Subject: Re: [PATCH] lpfc: Fix possible use-after-free and double free in
 lpfc_mbx_cmpl_rdp_page_a2()
Message-ID: <20150817232634.00006d80@localhost>
In-Reply-To: <1439809382-32419-1-git-send-email-jthumshirn@suse.de>
References: <1439809382-32419-1-git-send-email-jthumshirn@suse.de>
X-Mailer: Claws Mail 3.9.2-55-g74b05b (GTK+ 2.16.6; i586-pc-mingw32msvc)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Provags-ID: V03:K0:4VZLWmdLdnMjBTumZzywNAk5g84sijfCIoOa9aXXa7iuzdc2z2E
 7jcQYv4r/U4jX2eonsizdBEa8/3hHEReG7ntc5CHiLe4iqNJC7+zczL0bwkzBr+yBLZBhLY
 76KQy2tRll0HKVIketdrN9ef5YFjy2UbgwfuMtB0Pd9DBKUbw0vzDcI+iVy9ZyZBHw8B426
 ZWFe7phnRQa71fNtCcztw==
X-UI-Out-Filterresults: notjunk:1;V01:K0:qCLlu3ZSZ7M=:IIBhUn5LZ54nWslx1+6t4g
 wWflMmUj0OFeq6T0JlmCrh47HBF1ZlMXWYPLs9oYL/WMOKB+FyYL1NFt7z+HCNTcG/v7jxn1+
 DejsyZTo6sCf4PGsk9GsoKcjtDc7bjuOsb9BdA2asNa1NiLz6dMSVhhEDhZRzRjN6CIwP0BQn
 LhJlBrs3O90juN1u4yW/vwfmzmVZpJx8ywKoQ/rZktp9O419Nm5bPgSrvukcIUCWscfNU9xaC
 YbVyDaJDzRHEUp16unpnybYc/R8jcWOL4Rqt5/Nlam3/+xb6dzZLe8tvBx/taOn0Bu1FXXDT6
 wgHU+vHHNcVWHbYoK6zjOz4zqEzCu9wZmvOTu4TIv+gIjTBNApBvwxpXWzGnpky8X1u23jVyq
 FjwsiCqpIsu/7JzAagob8bVDDeBQeb+V7okYIuzEDgWMTdbVlMmHUS4CuR7oOUyJdGzHR7IEG
 Earr+hdndqR71AFXL+WcjeD2qKE97pZZw8Msydfr27fRO4qyhwk3WUB4chlB4JTFr/wVjaLpg
 j5pw5A0hk7ZUEN39lY3H22vepLQKZL10Okz06/UXCPMfxu0lHu7bdyJd0E9Wsj3c4+98/Wlvb
 KNYO7kYOzcu321O1T1GLdn2zkfrw9WVNNw6CApDf7LU8OPhpRI9/p2EIIJzKtTm1/q4/vlCgJ
 DfLiQwg5X7Dqhk+yHGs096j1kLaiwvDU3giVEUgfT3NPGriiGQ6LDuATsaNKf7LfEEcwK14Lc
 OxRrTunUKreon273GnO28L9xaXIFW+B7VPOCsg==
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 814
Lines: 19

Johannes Thumshirn wrote:
> If the bf_get() call in lpfc_mbx_cmpl_rdp_page_a2() does succeeds, execution
> continues normally and mp gets kfree()d.
> 
> If the subsequent call to lpfc_sli_issue_mbox() fails execution jumps to the
> error label where lpfc_mbuf_free() is called with mp->virt and mp->phys as
> function arguments. This is the use after free. Following the use after free mp
> gets kfree()d again which is a double free.

A similar patch was posted by Colin Ian King on 2015-07-31 [1].

[1] http://marc.info/?l=linux-scsi&m=143835937206204&w=2

Sebastian
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/