Re: [PATCH] scsi: lpfc: nvmet: avoid hang / use-after-free again when destroying targetport

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 7/29/2020 4:10 PM, Ewan D. Milne wrote:

We cannot wait on a completion object in the lpfc_nvme_targetport structure
in the _destroy_targetport() code path because the NVMe/fc transport will
free that structure immediately after the .targetport_delete() callback.
This results in a use-after-free, and a crash if slub_debug=FZPU is enabled.

An earlier fix put put the completion on the stack, but commit 2a0fb340fcc8
("scsi: lpfc: Correct localport timeout duration error") subsequently changed
the code to reference the completion through a pointer in the object rather
than the local stack variable.  Fix this by using the stack variable directly.

Fixes: 2a0fb340fcc8 ("scsi: lpfc: Correct localport timeout duration error")
Signed-off-by: Ewan D. Milne <emilne@xxxxxxxxxx>
---



Thanks Ewan

Reviewed-by: James Smart <james.smart@xxxxxxxxxxxx>

-- james
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [SCSI Target Devel]     [Linux SCSI Target Infrastructure]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Linux IIO]     [Samba]     [Device Mapper]

  Powered by Linux