The branch stable/13 has been updated by ram:
URL:
https://cgit.FreeBSD.org/src/commit/?id=5749a57326068f073555a5c043befade7bc37abf
commit 5749a57326068f073555a5c043befade7bc37abf
Author: Ram Kishore Vegesna <r...@freebsd.org>
AuthorDate: 2021-05-28 05:51:10 +0000
Commit: Ram Kishore Vegesna <r...@freebsd.org>
CommitDate: 2021-12-17 10:12:25 +0000
ocs_fc: Fix use after free bug in ocs_hw_async_call()
Freed ctx is used in the later callee ocs_hw_command(),
which is a use after free bug.
Return error if sli_cmd_common_nop() failed.
PR: 255865
Reported by: lylg...@foxmail.com
Approved by:: markj
(cherry picked from commit 7377d3831bc8abec2d6e5fee359d7383d4551feb)
---
sys/dev/ocs_fc/ocs_hw.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/sys/dev/ocs_fc/ocs_hw.c b/sys/dev/ocs_fc/ocs_hw.c
index d28d5e4a08b7..aa7d5857d9d9 100644
--- a/sys/dev/ocs_fc/ocs_hw.c
+++ b/sys/dev/ocs_fc/ocs_hw.c
@@ -11778,7 +11778,6 @@ ocs_hw_async_cb(ocs_hw_t *hw, int32_t status, uint8_t
*mqe, void *arg)
int32_t
ocs_hw_async_call(ocs_hw_t *hw, ocs_hw_async_cb_t callback, void *arg)
{
- int32_t rc = 0;
ocs_hw_async_call_ctx_t *ctx;
/*
@@ -11798,15 +11797,15 @@ ocs_hw_async_call(ocs_hw_t *hw, ocs_hw_async_cb_t
callback, void *arg)
if (sli_cmd_common_nop(&hw->sli, ctx->cmd, sizeof(ctx->cmd), 0) == 0) {
ocs_log_err(hw->os, "COMMON_NOP format failure\n");
ocs_free(hw->os, ctx, sizeof(*ctx));
- rc = -1;
+ return OCS_HW_RTN_ERROR;
}
if (ocs_hw_command(hw, ctx->cmd, OCS_CMD_NOWAIT, ocs_hw_async_cb, ctx))
{
ocs_log_err(hw->os, "COMMON_NOP command failure\n");
ocs_free(hw->os, ctx, sizeof(*ctx));
- rc = -1;
+ return OCS_HW_RTN_ERROR;
}
- return rc;
+ return OCS_HW_RTN_SUCCESS;
}
/**
