Re: [PATCH 1/3] fcoe: fix use-after-free in fcoe_ctlr_els_send

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 07/31/2018 03:46 PM, Johannes Thumshirn wrote:
> KASAN reports a use-after-free in fcoe_ctlr_els_send() when we're
> sending a LOGO and have FIP debugging enabled. This is because we're
> first freeing the skb and then printing the frame's DID. But the DID
> is a member of the FC frame header which in turn is the skb's payload.
> 
> Exchange the debug print and kfree_skb() calls so we're not touching
> the freed data.
> 
> Signed-off-by: Johannes Thumshirn <jthumshirn@xxxxxxx>
> ---
>  drivers/scsi/fcoe/fcoe_ctlr.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/scsi/fcoe/fcoe_ctlr.c b/drivers/scsi/fcoe/fcoe_ctlr.c
> index ea23c8dffc25..ceb35ebbeb8f 100644
> --- a/drivers/scsi/fcoe/fcoe_ctlr.c
> +++ b/drivers/scsi/fcoe/fcoe_ctlr.c
> @@ -799,9 +799,9 @@ int fcoe_ctlr_els_send(struct fcoe_ctlr *fip, struct fc_lport *lport,
>  	fip->send(fip, skb);
>  	return -EINPROGRESS;
>  drop:
> -	kfree_skb(skb);
>  	LIBFCOE_FIP_DBG(fip, "drop els_send op %u d_id %x\n",
>  			op, ntoh24(fh->fh_d_id));
> +	kfree_skb(skb);
>  	return -EINVAL;
>  }
>  EXPORT_SYMBOL(fcoe_ctlr_els_send);
> 
Reviewed-by: Hannes Reinecke <hare@xxxxxxxx>

Cheers,

Hannes
-- 
Dr. Hannes Reinecke		   Teamlead Storage & Networking
hare@xxxxxxx			               +49 911 74053 688
SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nürnberg
GF: F. Imendörffer, J. Smithard, J. Guild, D. Upmanyu, G. Norton
HRB 21284 (AG Nürnberg)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [SCSI Target Devel]     [Linux SCSI Target Infrastructure]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Linux IIO]     [Samba]     [Device Mapper]

  Powered by Linux