From: James Smart <jsmart2021@gmail.com>
Date: Tue, 21 May 2019 17:48:59 -0700
Subject: [PATCH] scsi: lpfc: Prevent 'use after free' memory overwrite in
nvmet LS handling
References: bsc#1136217,jsc#SLE-4722
Git-commit: 51d23fb28ccb355ee4d26dedacca24c171c2f664
Patch-mainline: v5.3-rc1
Use-after-free memory overwrite detected. Problem reported
by Ewan Milne at Red Hat after running lpfc target with additional
memory checking enabled.
Race condition when lpfc_nvmet_xmt_ls_rsp_cmp frees the ctxp
memory in interrupt context before lpfc_nvmet_xmt_ls_rsp
clears a field in the ctxp after successfully issuing the wqe.
Remove the unnecessary ctxp write after reposting the rq buffer. The
ctxp->rqb_buffer field is not checked in LS handling after the wqe
is submitted.
Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
Signed-off-by: James Smart <jsmart2021@gmail.com>
Reported-by: Ewan Milne <emilne@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Hannes Reinecke <hare@suse.de>
---
drivers/scsi/lpfc/lpfc_nvmet.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/scsi/lpfc/lpfc_nvmet.c b/drivers/scsi/lpfc/lpfc_nvmet.c
index 30767517ef28..c93c64d18bae 100644
--- a/drivers/scsi/lpfc/lpfc_nvmet.c
+++ b/drivers/scsi/lpfc/lpfc_nvmet.c
@@ -907,7 +907,6 @@ lpfc_nvmet_xmt_ls_rsp(struct nvmet_fc_target_port *tgtport,
* before freeing ctxp and iocbq.
*/
lpfc_in_buf_free(phba, &nvmebuf->dbuf);
- ctxp->rqb_buffer = 0;
atomic_inc(&nvmep->xmt_ls_rsp);
return 0;
}
--
2.16.4