* [PATCH 1/2] scsi: dpt_i2o: use after free in adpt_release()
@ 2018-03-19 10:33 Dan Carpenter
2018-03-20 3:08 ` Martin K. Petersen
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Dan Carpenter @ 2018-03-19 10:33 UTC (permalink / raw)
To: kernel-janitors
The scsi_host_put() function frees "pHba" and then we dereference it on
the next line when we do "scsi_host_put(pHba->host);".
Fixes: 38e09e3bb056 ("scsi: dpt_i2o: stop using scsi_unregister")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/drivers/scsi/dpt_i2o.c b/drivers/scsi/dpt_i2o.c
index 3c667b23a801..ac2f40d9963b 100644
--- a/drivers/scsi/dpt_i2o.c
+++ b/drivers/scsi/dpt_i2o.c
@@ -306,8 +306,8 @@ static void adpt_release(adpt_hba *pHba)
{
scsi_remove_host(pHba->host);
// adpt_i2o_quiesce_hba(pHba);
- adpt_i2o_delete_hba(pHba);
scsi_host_put(pHba->host);
+ adpt_i2o_delete_hba(pHba);
}
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH 1/2] scsi: dpt_i2o: use after free in adpt_release()
2018-03-19 10:33 [PATCH 1/2] scsi: dpt_i2o: use after free in adpt_release() Dan Carpenter
@ 2018-03-20 3:08 ` Martin K. Petersen
2018-03-20 8:42 ` Christoph Hellwig
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Martin K. Petersen @ 2018-03-20 3:08 UTC (permalink / raw)
To: kernel-janitors
Dan,
> The scsi_host_put() function frees "pHba" and then we dereference it on
> the next line when we do "scsi_host_put(pHba->host);".
Applied to 4.17/scsi-queue, thank you.
--
Martin K. Petersen Oracle Linux Engineering
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 1/2] scsi: dpt_i2o: use after free in adpt_release()
2018-03-19 10:33 [PATCH 1/2] scsi: dpt_i2o: use after free in adpt_release() Dan Carpenter
2018-03-20 3:08 ` Martin K. Petersen
@ 2018-03-20 8:42 ` Christoph Hellwig
2018-03-20 9:58 ` Dan Carpenter
2018-03-21 22:37 ` Martin K. Petersen
3 siblings, 0 replies; 5+ messages in thread
From: Christoph Hellwig @ 2018-03-20 8:42 UTC (permalink / raw)
To: kernel-janitors
On Mon, Mar 19, 2018 at 11:08:37PM -0400, Martin K. Petersen wrote:
>
> Dan,
>
> > The scsi_host_put() function frees "pHba" and then we dereference it on
> > the next line when we do "scsi_host_put(pHba->host);".
>
> Applied to 4.17/scsi-queue, thank you.
This fix is broken! adpt_i2o_delete_hba references pHba->host as well.
Instead we need a local variable for the host. Fix below:
---
From 701440055539c0f72a3179d85a44bd59d45a7d4b Mon Sep 17 00:00:00 2001
From: Christoph Hellwig <hch@lst.de>
Date: Tue, 20 Mar 2018 09:40:44 +0100
Subject: dpt_i2o: fix use after free in adpt_release for real
Fixes: 7bec5bed ("scsi: dpt_i2o: use after free in adpt_release()")
adpt_i2o_delete_hba still references the host.
Signed-off-by: Christoph Hellwig <hch@lst.de>
---
drivers/scsi/dpt_i2o.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/scsi/dpt_i2o.c b/drivers/scsi/dpt_i2o.c
index 0f30792d74c4..35d45903ed2e 100644
--- a/drivers/scsi/dpt_i2o.c
+++ b/drivers/scsi/dpt_i2o.c
@@ -304,10 +304,12 @@ static int adpt_detect(struct scsi_host_template* sht)
static void adpt_release(adpt_hba *pHba)
{
- scsi_remove_host(pHba->host);
+ struct Scsi_Host *shost = pHba->host;
+
+ scsi_remove_host(shost);
// adpt_i2o_quiesce_hba(pHba);
- scsi_host_put(pHba->host);
adpt_i2o_delete_hba(pHba);
+ scsi_host_put(shost);
}
--
2.14.2
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH 1/2] scsi: dpt_i2o: use after free in adpt_release()
2018-03-19 10:33 [PATCH 1/2] scsi: dpt_i2o: use after free in adpt_release() Dan Carpenter
2018-03-20 3:08 ` Martin K. Petersen
2018-03-20 8:42 ` Christoph Hellwig
@ 2018-03-20 9:58 ` Dan Carpenter
2018-03-21 22:37 ` Martin K. Petersen
3 siblings, 0 replies; 5+ messages in thread
From: Dan Carpenter @ 2018-03-20 9:58 UTC (permalink / raw)
To: kernel-janitors
Yeah. You're right. Thanks for catching that.
regards,
dan carpenter
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 1/2] scsi: dpt_i2o: use after free in adpt_release()
2018-03-19 10:33 [PATCH 1/2] scsi: dpt_i2o: use after free in adpt_release() Dan Carpenter
` (2 preceding siblings ...)
2018-03-20 9:58 ` Dan Carpenter
@ 2018-03-21 22:37 ` Martin K. Petersen
3 siblings, 0 replies; 5+ messages in thread
From: Martin K. Petersen @ 2018-03-21 22:37 UTC (permalink / raw)
To: kernel-janitors
Christoph,
> This fix is broken! adpt_i2o_delete_hba references pHba->host as well.
>
> Instead we need a local variable for the host.
Thanks for spotting this! Fixed it up.
--
Martin K. Petersen Oracle Linux Engineering
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2018-03-21 22:37 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-03-19 10:33 [PATCH 1/2] scsi: dpt_i2o: use after free in adpt_release() Dan Carpenter
2018-03-20 3:08 ` Martin K. Petersen
2018-03-20 8:42 ` Christoph Hellwig
2018-03-20 9:58 ` Dan Carpenter
2018-03-21 22:37 ` Martin K. Petersen
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.