Commit 51d23fb2 authored by James Smart's avatar James Smart Committed by Martin K. Petersen

scsi: lpfc: Prevent 'use after free' memory overwrite in nvmet LS handling

Use-after-free memory overwrite detected. Problem reported
by Ewan Milne at Red Hat after running lpfc target with additional
memory checking enabled.

Race condition when lpfc_nvmet_xmt_ls_rsp_cmp frees the ctxp
memory in interrupt context before lpfc_nvmet_xmt_ls_rsp
clears a field in the ctxp after successfully issuing the wqe.

Remove the unnecessary ctxp write after reposting the rq buffer. The
ctxp->rqb_buffer field is not checked in LS handling after the wqe
is submitted.
Signed-off-by: default avatarDick Kennedy <dick.kennedy@broadcom.com>
Signed-off-by: default avatarJames Smart <jsmart2021@gmail.com>
Reported-by: default avatarEwan Milne <emilne@redhat.com>
Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
parent f22bfe8d
...@@ -907,7 +907,6 @@ lpfc_nvmet_xmt_ls_rsp(struct nvmet_fc_target_port *tgtport, ...@@ -907,7 +907,6 @@ lpfc_nvmet_xmt_ls_rsp(struct nvmet_fc_target_port *tgtport,
* before freeing ctxp and iocbq. * before freeing ctxp and iocbq.
*/ */
lpfc_in_buf_free(phba, &nvmebuf->dbuf); lpfc_in_buf_free(phba, &nvmebuf->dbuf);
ctxp->rqb_buffer = 0;
atomic_inc(&nvmep->xmt_ls_rsp); atomic_inc(&nvmep->xmt_ls_rsp);
return 0; return 0;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment