diff options
| author | Johannes Thumshirn <[email protected]> | 2015-08-17 13:03:02 +0200 | 
|---|---|---|
| committer | James Bottomley <[email protected]> | 2015-09-06 11:51:39 -0700 | 
| commit | 612872cabf5be6f95d43d9a88eef38201ae8005d (patch) | |
| tree | f6464c146b2c2c9b2b5f95832bbdf626b82ecd4d /drivers/mtd/lpddr/lpddr_cmds.c | |
| parent | 6f3d828f5bd72174c24789aba5d4ed036b60f44b (diff) | |
lpfc: Fix possible use-after-free and double free in lpfc_mbx_cmpl_rdp_page_a2()
If the bf_get() call in lpfc_mbx_cmpl_rdp_page_a2() does succeeds, execution
continues normally and mp gets kfree()d.
If the subsequent call to lpfc_sli_issue_mbox() fails execution jumps to the
error label where lpfc_mbuf_free() is called with mp->virt and mp->phys as
function arguments. This is the use after free. Following the use after free mp
gets kfree()d again which is a double free.
Signed-off-by: Johannes Thumshirn <[email protected]>
Acked-by: James Smart <[email protected]>
Signed-off-by: James Bottomley <[email protected]>
Diffstat (limited to 'drivers/mtd/lpddr/lpddr_cmds.c')
0 files changed, 0 insertions, 0 deletions