diff options
| author | James Smart <jsmart2021@gmail.com> | 2020-05-20 11:59:28 -0700 | 
|---|---|---|
| committer | Christoph Hellwig <hch@lst.de> | 2020-05-27 07:12:41 +0200 | 
| commit | 4e57e0b9f343fd14497ab04b2bc08c1784830b9d (patch) | |
| tree | 662bbed36491bfd836cb7f2f5f0ecbcce3964b81 /tools/perf/scripts/python/futex-contention.py | |
| parent | fcdd14b86f6b891b5e894bf1dbeaf02cc79bdbce (diff) | |
lpfc: fix axchg pointer reference after free and double frees
The axchg structure is a structure allocated early in the
lpfc_nvme_unsol_ls_handler() to represent the newly received exchange.
Upon error, the out_fail path in the routine unconditionally frees the
pointer, yet subsequently passes the pointer to the abort routine.
Additionally, the abort routine, lpfc_nvme_unsol_ls_issue_abort(), also
has a failure path that will attempt to delete the pointer on error.
Fix these errors by:
- Removing the unconditional free so that it stays valid if passed
  to the abort routine.
- Revise the abort routine to not free the pointer. Instead, return
  a success/failure status. Note: if success, the later completion of
  the abort frees the structure.
- Back in the unsol_ls_handler() error path, if the abort routine was
  skipped (thus no possible reference) or the abort routine returned
  error, free the pointer.
Fixes: 3a8070c567aa ("lpfc: Refactor NVME LS receive handling")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
Signed-off-by: James Smart <jsmart2021@gmail.com>
Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Diffstat (limited to 'tools/perf/scripts/python/futex-contention.py')
0 files changed, 0 insertions, 0 deletions
