Commit 4e57e0b9 authored by James Smart's avatar James Smart Committed by Christoph Hellwig

lpfc: fix axchg pointer reference after free and double frees

The axchg structure is a structure allocated early in the
lpfc_nvme_unsol_ls_handler() to represent the newly received exchange.
Upon error, the out_fail path in the routine unconditionally frees the
pointer, yet subsequently passes the pointer to the abort routine.
Additionally, the abort routine, lpfc_nvme_unsol_ls_issue_abort(), also
has a failure path that will attempt to delete the pointer on error.

Fix these errors by:
- Removing the unconditional free so that it stays valid if passed
  to the abort routine.
- Revise the abort routine to not free the pointer. Instead, return
  a success/failure status. Note: if success, the later completion of
  the abort frees the structure.
- Back in the unsol_ls_handler() error path, if the abort routine was
  skipped (thus no possible reference) or the abort routine returned
  error, free the pointer.

Fixes: 3a8070c5 ("lpfc: Refactor NVME LS receive handling")
Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: default avatarDick Kennedy <dick.kennedy@broadcom.com>
Signed-off-by: default avatarJames Smart <jsmart2021@gmail.com>
Reviewed-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
parent fcdd14b8
...@@ -3598,10 +3598,9 @@ lpfc_nvme_unsol_ls_issue_abort(struct lpfc_hba *phba, ...@@ -3598,10 +3598,9 @@ lpfc_nvme_unsol_ls_issue_abort(struct lpfc_hba *phba,
abts_wqeq->context2 = NULL; abts_wqeq->context2 = NULL;
abts_wqeq->context3 = NULL; abts_wqeq->context3 = NULL;
lpfc_sli_release_iocbq(phba, abts_wqeq); lpfc_sli_release_iocbq(phba, abts_wqeq);
kfree(ctxp);
lpfc_printf_log(phba, KERN_ERR, LOG_NVME_ABTS, lpfc_printf_log(phba, KERN_ERR, LOG_NVME_ABTS,
"6056 Failed to Issue ABTS. Status x%x\n", rc); "6056 Failed to Issue ABTS. Status x%x\n", rc);
return 0; return 1;
} }
/** /**
......
...@@ -2813,7 +2813,7 @@ lpfc_nvme_unsol_ls_handler(struct lpfc_hba *phba, struct lpfc_iocbq *piocb) ...@@ -2813,7 +2813,7 @@ lpfc_nvme_unsol_ls_handler(struct lpfc_hba *phba, struct lpfc_iocbq *piocb)
struct lpfc_async_xchg_ctx *axchg = NULL; struct lpfc_async_xchg_ctx *axchg = NULL;
char *failwhy = NULL; char *failwhy = NULL;
uint32_t oxid, sid, did, fctl, size; uint32_t oxid, sid, did, fctl, size;
int ret; int ret = 1;
d_buf = piocb->context2; d_buf = piocb->context2;
...@@ -2897,14 +2897,16 @@ lpfc_nvme_unsol_ls_handler(struct lpfc_hba *phba, struct lpfc_iocbq *piocb) ...@@ -2897,14 +2897,16 @@ lpfc_nvme_unsol_ls_handler(struct lpfc_hba *phba, struct lpfc_iocbq *piocb)
(phba->nvmet_support) ? "T" : "I", ret); (phba->nvmet_support) ? "T" : "I", ret);
out_fail: out_fail:
kfree(axchg);
/* recycle receive buffer */ /* recycle receive buffer */
lpfc_in_buf_free(phba, &nvmebuf->dbuf); lpfc_in_buf_free(phba, &nvmebuf->dbuf);
/* If start of new exchange, abort it */ /* If start of new exchange, abort it */
if (fctl & FC_FC_FIRST_SEQ && !(fctl & FC_FC_EX_CTX)) if (axchg && (fctl & FC_FC_FIRST_SEQ && !(fctl & FC_FC_EX_CTX)))
lpfc_nvme_unsol_ls_issue_abort(phba, axchg, sid, oxid); ret = lpfc_nvme_unsol_ls_issue_abort(phba, axchg, sid, oxid);
if (ret)
kfree(axchg);
} }
/** /**
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment