All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH 1/2] scsi: dpt_i2o: use after free in adpt_release()
@ 2018-03-19 10:33 Dan Carpenter
  2018-03-20  3:08 ` Martin K. Petersen
                   ` (3 more replies)
  0 siblings, 4 replies; 5+ messages in thread
From: Dan Carpenter @ 2018-03-19 10:33 UTC (permalink / raw)
  To: kernel-janitors

The scsi_host_put() function frees "pHba" and then we dereference it on
the next line when we do "scsi_host_put(pHba->host);".

Fixes: 38e09e3bb056 ("scsi: dpt_i2o: stop using scsi_unregister")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

diff --git a/drivers/scsi/dpt_i2o.c b/drivers/scsi/dpt_i2o.c
index 3c667b23a801..ac2f40d9963b 100644
--- a/drivers/scsi/dpt_i2o.c
+++ b/drivers/scsi/dpt_i2o.c
@@ -306,8 +306,8 @@ static void adpt_release(adpt_hba *pHba)
 {
 	scsi_remove_host(pHba->host);
 //	adpt_i2o_quiesce_hba(pHba);
-	adpt_i2o_delete_hba(pHba);
 	scsi_host_put(pHba->host);
+	adpt_i2o_delete_hba(pHba);
 }
 
 

^ permalink raw reply related	[flat|nested] 5+ messages in thread
* Re: [PATCH 1/2] scsi: dpt_i2o: use after free in adpt_release()
  2018-03-19 10:33 [PATCH 1/2] scsi: dpt_i2o: use after free in adpt_release() Dan Carpenter
@ 2018-03-20  3:08 ` Martin K. Petersen
  2018-03-20  8:42 ` Christoph Hellwig
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 5+ messages in thread
From: Martin K. Petersen @ 2018-03-20  3:08 UTC (permalink / raw)
  To: kernel-janitors


Dan,

> The scsi_host_put() function frees "pHba" and then we dereference it on
> the next line when we do "scsi_host_put(pHba->host);".

Applied to 4.17/scsi-queue, thank you.

-- 
Martin K. Petersen	Oracle Linux Engineering

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH 1/2] scsi: dpt_i2o: use after free in adpt_release()
  2018-03-19 10:33 [PATCH 1/2] scsi: dpt_i2o: use after free in adpt_release() Dan Carpenter
  2018-03-20  3:08 ` Martin K. Petersen
@ 2018-03-20  8:42 ` Christoph Hellwig
  2018-03-20  9:58 ` Dan Carpenter
  2018-03-21 22:37 ` Martin K. Petersen
  3 siblings, 0 replies; 5+ messages in thread
From: Christoph Hellwig @ 2018-03-20  8:42 UTC (permalink / raw)
  To: kernel-janitors

On Mon, Mar 19, 2018 at 11:08:37PM -0400, Martin K. Petersen wrote:
> 
> Dan,
> 
> > The scsi_host_put() function frees "pHba" and then we dereference it on
> > the next line when we do "scsi_host_put(pHba->host);".
> 
> Applied to 4.17/scsi-queue, thank you.

This fix is broken!  adpt_i2o_delete_hba references pHba->host as well.

Instead we need a local variable for the host. Fix below:

---
From 701440055539c0f72a3179d85a44bd59d45a7d4b Mon Sep 17 00:00:00 2001
From: Christoph Hellwig <hch@lst.de>
Date: Tue, 20 Mar 2018 09:40:44 +0100
Subject: dpt_i2o: fix use after free in adpt_release for real

Fixes: 7bec5bed ("scsi: dpt_i2o: use after free in adpt_release()")

adpt_i2o_delete_hba still references the host.

Signed-off-by: Christoph Hellwig <hch@lst.de>
---
 drivers/scsi/dpt_i2o.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/scsi/dpt_i2o.c b/drivers/scsi/dpt_i2o.c
index 0f30792d74c4..35d45903ed2e 100644
--- a/drivers/scsi/dpt_i2o.c
+++ b/drivers/scsi/dpt_i2o.c
@@ -304,10 +304,12 @@ static int adpt_detect(struct scsi_host_template* sht)
 
 static void adpt_release(adpt_hba *pHba)
 {
-	scsi_remove_host(pHba->host);
+	struct Scsi_Host *shost = pHba->host;
+
+	scsi_remove_host(shost);
 //	adpt_i2o_quiesce_hba(pHba);
-	scsi_host_put(pHba->host);
 	adpt_i2o_delete_hba(pHba);
+	scsi_host_put(shost);
 }
 
 
-- 
2.14.2


^ permalink raw reply related	[flat|nested] 5+ messages in thread
* Re: [PATCH 1/2] scsi: dpt_i2o: use after free in adpt_release()
  2018-03-19 10:33 [PATCH 1/2] scsi: dpt_i2o: use after free in adpt_release() Dan Carpenter
  2018-03-20  3:08 ` Martin K. Petersen
  2018-03-20  8:42 ` Christoph Hellwig
@ 2018-03-20  9:58 ` Dan Carpenter
  2018-03-21 22:37 ` Martin K. Petersen
  3 siblings, 0 replies; 5+ messages in thread
From: Dan Carpenter @ 2018-03-20  9:58 UTC (permalink / raw)
  To: kernel-janitors

Yeah.  You're right.  Thanks for catching that.

regards,
dan carpenter


^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH 1/2] scsi: dpt_i2o: use after free in adpt_release()
  2018-03-19 10:33 [PATCH 1/2] scsi: dpt_i2o: use after free in adpt_release() Dan Carpenter
                   ` (2 preceding siblings ...)
  2018-03-20  9:58 ` Dan Carpenter
@ 2018-03-21 22:37 ` Martin K. Petersen
  3 siblings, 0 replies; 5+ messages in thread
From: Martin K. Petersen @ 2018-03-21 22:37 UTC (permalink / raw)
  To: kernel-janitors


Christoph,

> This fix is broken!  adpt_i2o_delete_hba references pHba->host as well.
>
> Instead we need a local variable for the host.

Thanks for spotting this! Fixed it up.

-- 
Martin K. Petersen	Oracle Linux Engineering

^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2018-03-21 22:37 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-03-19 10:33 [PATCH 1/2] scsi: dpt_i2o: use after free in adpt_release() Dan Carpenter
2018-03-20  3:08 ` Martin K. Petersen
2018-03-20  8:42 ` Christoph Hellwig
2018-03-20  9:58 ` Dan Carpenter
2018-03-21 22:37 ` Martin K. Petersen

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.