Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp9099230pxu; Mon, 28 Dec 2020 06:37:11 -0800 (PST) X-Google-Smtp-Source: ABdhPJzm0ou8oCWSPXaDvtb58Nt37Xr1j0OkPkUAliuxMdZAwzHmWrRV/ZBOWU4NJODasUiFDL1s X-Received: by 2002:a50:abc6:: with SMTP id u64mr13972990edc.21.1609166231162; Mon, 28 Dec 2020 06:37:11 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1609166231; cv=none; d=google.com; s=arc-20160816; b=j8OtQp0zQu+0J73MxKUs5IZU3ieSfcsyFfrgRFlJAwGUR0kqrtw96urxg0zAOTdChF S/pog1AATVRWP3MYKYjdnFUPDbHwVAds9UqbITQNz0Rq6dV/iLrl28MrP63Pt2pH3hc3 qjirZF/vMhe1iLJx4tP0tlPq50WSDhBb+l9+EA1AsuK6VUQgy725UHkeASC3nua5SeiA 49Lebdb7DiCqeDgHCT4wBrRT5NRNHZEXuUeTHQzxqHZXPM7WuIIp8kVZxg9gb9fkS/dO K0KTE/CjFNVLsBTbRGC1dqTVldMpLjv0gaNWQyJAOYsdQwzM06ENQ3YyvXswcmlpmqEp ARdA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=LrCNwWV65ovqi//pq9lUPHL6qf3eNDhz/xfEJ3A43r8=; b=ucoFuJVQGWylbYE6NQlUSI9qXy4ZZNmnfSq3T13TtDf4iqDWnS2khSx6TatiBVU2c+ wu+TWNharSnsJyCsTK04BZt2NfADvMetMBkawHU2K1SNZ1TQ5f/xcvTW/AKam+pfFu3Q FSXIRkzctZyMg/pPV/9oomo3mvDWsWzrq+BQy4U7ZUpE4Srr/IoFokHBLl3zaOk9V+RU 9SY7TAHzefWrDDBx1T45BlNkqPbKXcc7YH8Wd8TcUBPpILrKBMlC63wiqizRQ1Fi9jUO oNLHocRcLa+MambV4FLeLgOtjK9UjKWGzS2oVilaUkDJ7v9nV3/tF/7HUH+pfowNokwG 8U9g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=dc33vX19; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id cb24si19608689edb.552.2020.12.28.06.36.47; Mon, 28 Dec 2020 06:37:11 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=dc33vX19; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2505020AbgL1Odb (ORCPT + 99 others); Mon, 28 Dec 2020 09:33:31 -0500 Received: from mail.kernel.org ([198.145.29.99]:39562 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2504356AbgL1ObV (ORCPT ); Mon, 28 Dec 2020 09:31:21 -0500 Received: by mail.kernel.org (Postfix) with ESMTPSA id 8C0382245C; Mon, 28 Dec 2020 14:30:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1609165841; bh=xni1xbnFKMBXSg0riPo9DOg8dKdcuDT9JL1hPe3zpxA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=dc33vX19f3DCFMfskJ8VwLf04x3I6fbkNeJXXe0qk6z8mJBs6BHArZNZlDh1nGVxN 0Fic7eat7UbPuBaQCke+mY68+XdXAen8JF5BK6mrf4t+OkTf2EHBEFgEwJYPMXinbZ Y+x20b5flz5AxwPsGJSdqfZlbvmDRasevOB9xDZI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, James Smart , "Martin K. Petersen" Subject: [PATCH 5.10 672/717] scsi: lpfc: Re-fix use after free in lpfc_rq_buf_free() Date: Mon, 28 Dec 2020 13:51:10 +0100 Message-Id: <20201228125053.178924484@linuxfoundation.org> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20201228125020.963311703@linuxfoundation.org> References: <20201228125020.963311703@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: James Smart commit e5785d3ec32f5f44dd88cd7b398e496742630469 upstream. Commit 9816ef6ecbc1 ("scsi: lpfc: Use after free in lpfc_rq_buf_free()") was made to correct a use after free condition in lpfc_rq_buf_free(). Unfortunately, a subsequent patch cut on a tree without the fix inadvertently reverted the fix. Put the fix back: Move the freeing of the rqb_entry to after the print function that references it. Link: https://lore.kernel.org/r/20201020202719.54726-4-james.smart@broadcom.com Fixes: 411de511c694 ("scsi: lpfc: Fix RQ empty firmware trap") Cc: # v4.17+ Signed-off-by: James Smart Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman --- drivers/scsi/lpfc/lpfc_mem.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/scsi/lpfc/lpfc_mem.c +++ b/drivers/scsi/lpfc/lpfc_mem.c @@ -721,7 +721,6 @@ lpfc_rq_buf_free(struct lpfc_hba *phba, drqe.address_hi = putPaddrHigh(rqb_entry->dbuf.phys); rc = lpfc_sli4_rq_put(rqb_entry->hrq, rqb_entry->drq, &hrqe, &drqe); if (rc < 0) { - (rqbp->rqb_free_buffer)(phba, rqb_entry); lpfc_printf_log(phba, KERN_ERR, LOG_INIT, "6409 Cannot post to HRQ %d: %x %x %x " "DRQ %x %x\n", @@ -731,6 +730,7 @@ lpfc_rq_buf_free(struct lpfc_hba *phba, rqb_entry->hrq->entry_count, rqb_entry->drq->host_index, rqb_entry->drq->hba_index); + (rqbp->rqb_free_buffer)(phba, rqb_entry); } else { list_add_tail(&rqb_entry->hbuf.list, &rqbp->rqb_buffer_list); rqbp->buffer_count++;