From: Justin Tee <justintee8345@gmail.com>
To: linux-scsi@vger.kernel.org
Cc: jsmart2021@gmail.com, justin.tee@broadcom.com,
Justin Tee <justintee8345@gmail.com>
Subject: [PATCH 1/9] lpfc: Fix use-after-free rport memory access in lpfc_register_remote_port
Date: Tue, 23 May 2023 11:31:58 -0700 [thread overview]
Message-ID: <20230523183206.7728-2-justintee8345@gmail.com> (raw)
In-Reply-To: <20230523183206.7728-1-justintee8345@gmail.com>
Due to a target port D_ID swap, it is possible for the
lpfc_register_remote_port routine to touch post mortem fc_rport memory when
trying to access fc_rport->dd_data.
The D_ID swap causes a simultaneous call to lpfc_unregister_remote_port,
where fc_remote_port_delete reclaims fc_rport memory.
Remove the fc_rport->dd_data->pnode NULL assignment because the following
line reassigns ndlp->rport with an fc_rport object from fc_remote_port_add
anyways. The pnode nullification is superfluous.
Signed-off-by: Justin Tee <justin.tee@broadcom.com>
---
drivers/scsi/lpfc/lpfc_hbadisc.c | 8 --------
1 file changed, 8 deletions(-)
diff --git a/drivers/scsi/lpfc/lpfc_hbadisc.c b/drivers/scsi/lpfc/lpfc_hbadisc.c
index 67bfdddb897c..63e42e3f2165 100644
--- a/drivers/scsi/lpfc/lpfc_hbadisc.c
+++ b/drivers/scsi/lpfc/lpfc_hbadisc.c
@@ -4498,14 +4498,6 @@ lpfc_register_remote_port(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp)
if (vport->load_flag & FC_UNLOADING)
return;
- /*
- * Disassociate any older association between this ndlp and rport
- */
- if (ndlp->rport) {
- rdata = ndlp->rport->dd_data;
- rdata->pnode = NULL;
- }
-
ndlp->rport = rport = fc_remote_port_add(shost, 0, &rport_ids);
if (!rport) {
dev_printk(KERN_WARNING, &phba->pcidev->dev,
--
2.38.0
next prev parent reply other threads:[~2023-05-23 18:22 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-23 18:31 [PATCH 0/9] lpfc: Update lpfc to revision 14.2.0.13 Justin Tee
2023-05-23 18:31 ` Justin Tee [this message]
2023-05-31 16:46 ` [PATCH 1/9] lpfc: Fix use-after-free rport memory access in lpfc_register_remote_port Martin Wilck
2023-05-23 18:31 ` [PATCH 2/9] lpfc: Clear NLP_IN_DEV_LOSS flag if already in rediscovery Justin Tee
2023-05-23 18:32 ` [PATCH 3/9] lpfc: Account for fabric domain ctlr device loss recovery Justin Tee
2023-05-31 16:47 ` Martin Wilck
2023-05-23 18:32 ` [PATCH 4/9] lpfc: Revise NPIV ELS unsol rcv cmpl logic to drop ndlp based on nlp_state Justin Tee
2023-05-23 18:32 ` [PATCH 5/9] lpfc: Change firmware upgrade logging to KERN_NOTICE instead of TRACE_EVENT Justin Tee
2023-05-23 18:32 ` [PATCH 6/9] lpfc: Clean up SLI-4 CQE status handling Justin Tee
2023-05-23 18:32 ` [PATCH 7/9] lpfc: Enhance congestion statistics collection Justin Tee
2023-05-23 18:32 ` [PATCH 8/9] lpfc: Update lpfc version to 14.2.0.13 Justin Tee
2023-05-23 18:32 ` [PATCH 9/9] lpfc: Copyright updates for 14.2.0.13 patches Justin Tee
2023-05-31 22:15 ` [PATCH 0/9] lpfc: Update lpfc to revision 14.2.0.13 Martin K. Petersen
2023-06-08 1:42 ` Martin K. Petersen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230523183206.7728-2-justintee8345@gmail.com \
--to=justintee8345@gmail.com \
--cc=jsmart2021@gmail.com \
--cc=justin.tee@broadcom.com \
--cc=linux-scsi@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.