From: James Smart <jsmart2021@gmail.com>
To: linux-scsi@vger.kernel.org
Cc: James Smart <jsmart2021@gmail.com>, Justin Tee <justin.tee@broadcom.com>
Subject: [PATCH 4/8] lpfc: Fix use-after-free in lpfc_unreg_rpi() routine
Date: Wed, 20 Oct 2021 14:14:13 -0700 [thread overview]
Message-ID: <20211020211417.88754-5-jsmart2021@gmail.com> (raw)
In-Reply-To: <20211020211417.88754-1-jsmart2021@gmail.com>
An error is detected with the following report when unloading the driver:
"KASAN: use-after-free in lpfc_unreg_rpi+0x1b1b"
The NLP_REG_LOGIN_SEND nlp_flag is set in lpfc_reg_fab_ctrl_node(), but
the flag is not cleared upon completion of the login.
This allows a second call to lpfc_unreg_rpi() to proceed with nlp_rpi
set to LPFC_RPI_ALLOW_ERROR. This results in a use after free access
when used as an rpi_ids array index.
Fix by clearing the NLP_REG_LOGIN_SEND nlp_flag in
lpfc_mbx_cmpl_fc_reg_login().
Co-developed-by: Justin Tee <justin.tee@broadcom.com>
Signed-off-by: Justin Tee <justin.tee@broadcom.com>
Signed-off-by: James Smart <jsmart2021@gmail.com>
---
drivers/scsi/lpfc/lpfc_hbadisc.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/scsi/lpfc/lpfc_hbadisc.c b/drivers/scsi/lpfc/lpfc_hbadisc.c
index 0b1e1cc00e01..4c068fbb550a 100644
--- a/drivers/scsi/lpfc/lpfc_hbadisc.c
+++ b/drivers/scsi/lpfc/lpfc_hbadisc.c
@@ -4372,6 +4372,7 @@ lpfc_mbx_cmpl_fc_reg_login(struct lpfc_hba *phba, LPFC_MBOXQ_t *pmb)
ndlp->nlp_state);
ndlp->nlp_flag |= NLP_RPI_REGISTERED;
+ ndlp->nlp_flag &= ~NLP_REG_LOGIN_SEND;
ndlp->nlp_type |= NLP_FABRIC;
lpfc_nlp_set_state(vport, ndlp, NLP_STE_UNMAPPED_NODE);
--
2.26.2
next prev parent reply other threads:[~2021-10-20 21:14 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-20 21:14 [PATCH 0/8] lpfc: Update lpfc to revision 14.0.0.3 James Smart
2021-10-20 21:14 ` [PATCH 1/8] lpfc: Revert LOG_TRACE_EVENT back to LOG_INIT prior to driver_resource_setup James Smart
2021-10-20 21:14 ` [PATCH 2/8] lpfc: Wait for successful restart of SLI3 adapter during host sg_reset James Smart
2021-10-20 21:14 ` [PATCH 3/8] lpfc: Correct sysfs reporting of loop support after SFP status change James Smart
2021-10-20 21:14 ` James Smart [this message]
2021-10-20 21:14 ` [PATCH 5/8] lpfc: Allow PLOGI retry if previous PLOGI was aborted James Smart
2021-10-20 21:14 ` [PATCH 6/8] lpfc: Fix link down processing to address NULL pointer dereference James Smart
2021-10-20 21:14 ` [PATCH 7/8] lpfc: Allow fabric node recovery if recovery is in progress before devloss James Smart
2021-10-20 21:14 ` [PATCH 8/8] lpfc: Update lpfc version to 14.0.0.3 James Smart
2021-10-21 3:34 ` [PATCH 0/8] lpfc: Update lpfc to revision 14.0.0.3 Martin K. Petersen
2021-10-27 4:00 ` Martin K. Petersen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211020211417.88754-5-jsmart2021@gmail.com \
--to=jsmart2021@gmail.com \
--cc=justin.tee@broadcom.com \
--cc=linux-scsi@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox