scsi: lpfc: Prevent 'use after free' memory overwrite in nvmet LS handling

Use-after-free memory overwrite detected. Problem reported by Ewan Milne at Red Hat after running lpfc target with additional memory checking enabled. Race condition when lpfc_nvmet_xmt_ls_rsp_cmp frees the ctxp memory in interrupt context before lpfc_nvmet_xmt_ls_rsp clears a field in the ctxp after successfully issuing the wqe. Remove the unnecessary ctxp write after reposting the rq buffer. The ctxp->rqb_buffer field is not checked in LS handling after the wqe is submitted. Signed-off-by: Dick Kennedy <[email protected]> Signed-off-by: James Smart <[email protected]> Reported-by: Ewan Milne <[email protected]> Signed-off-by: Martin K. Petersen <[email protected]>
author: James Smart <[email protected]> 2019-05-21 17:48:59 -0700
committer: Martin K. Petersen <[email protected]> 2019-06-18 19:46:21 -0400
commit: 51d23fb28ccb355ee4d26dedacca24c171c2f664 (patch)
tree: 244cede07ab0daea39724fc51adfa1cd3583abdd
parent: f22bfe8d1c900b8ce2105223db69742d8ebc46fe (diff)
1 files changed, 0 insertions, 1 deletions
diff --git a/drivers/scsi/lpfc/lpfc_nvmet.c b/drivers/scsi/lpfc/lpfc_nvmet.c
index a943b2a20001..08c2c4e3515b 100644
--- a/drivers/scsi/lpfc/lpfc_nvmet.c
+++ b/drivers/scsi/lpfc/lpfc_nvmet.c
@@ -907,7 +907,6 @@ lpfc_nvmet_xmt_ls_rsp(struct nvmet_fc_target_port *tgtport,
 		 * before freeing ctxp and iocbq.
 		 */
 		lpfc_in_buf_free(phba, &nvmebuf->dbuf);
-		ctxp->rqb_buffer = 0;
 		atomic_inc(&nvmep->xmt_ls_rsp);
 		return 0;
 	}
author	James Smart <[email protected]>	2019-05-21 17:48:59 -0700
committer	Martin K. Petersen <[email protected]>	2019-06-18 19:46:21 -0400
commit	51d23fb28ccb355ee4d26dedacca24c171c2f664 (patch)
tree	244cede07ab0daea39724fc51adfa1cd3583abdd
parent	f22bfe8d1c900b8ce2105223db69742d8ebc46fe (diff)