From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Letu Ren <fantasquex@gmail.com>, Zheyu Ma <zheyuma97@gmail.com>,
Saurav Kashyap <skashyap@marvell.com>,
Wende Tan <twd2.me@gmail.com>,
"Martin K . Petersen" <martin.petersen@oracle.com>,
Sasha Levin <sashal@kernel.org>,
jhasan@marvell.com, GR-QLogic-Storage-Upstream@marvell.com,
jejb@linux.ibm.com, linux-scsi@vger.kernel.org
Subject: [PATCH AUTOSEL 5.19 12/29] scsi: qedf: Fix a UAF bug in __qedf_probe()
Date: Sun, 2 Oct 2022 18:49:05 -0400 [thread overview]
Message-ID: <20221002224922.238837-12-sashal@kernel.org> (raw)
In-Reply-To: <20221002224922.238837-1-sashal@kernel.org>
From: Letu Ren <fantasquex@gmail.com>
[ Upstream commit fbfe96869b782364caebae0445763969ddb6ea67 ]
In __qedf_probe(), if qedf->cdev is NULL which means
qed_ops->common->probe() failed, then the program will goto label err1, and
scsi_host_put() will free lport->host pointer. Because the memory qedf
points to is allocated by libfc_host_alloc(), it will be freed by
scsi_host_put(). However, the if statement below label err0 only checks
whether qedf is NULL but doesn't check whether the memory has been freed.
So a UAF bug can occur.
There are two ways to reach the statements below err0. The first one is
described as before, "qedf" should be set to NULL. The second one is goto
"err0" directly. In the latter scenario qedf hasn't been changed and it has
the initial value NULL. As a result the if statement is not reachable in
any situation.
The KASAN logs are as follows:
[ 2.312969] BUG: KASAN: use-after-free in __qedf_probe+0x5dcf/0x6bc0
[ 2.312969]
[ 2.312969] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
[ 2.312969] Call Trace:
[ 2.312969] dump_stack_lvl+0x59/0x7b
[ 2.312969] print_address_description+0x7c/0x3b0
[ 2.312969] ? __qedf_probe+0x5dcf/0x6bc0
[ 2.312969] __kasan_report+0x160/0x1c0
[ 2.312969] ? __qedf_probe+0x5dcf/0x6bc0
[ 2.312969] kasan_report+0x4b/0x70
[ 2.312969] ? kobject_put+0x25d/0x290
[ 2.312969] kasan_check_range+0x2ca/0x310
[ 2.312969] __qedf_probe+0x5dcf/0x6bc0
[ 2.312969] ? selinux_kernfs_init_security+0xdc/0x5f0
[ 2.312969] ? trace_rpm_return_int_rcuidle+0x18/0x120
[ 2.312969] ? rpm_resume+0xa5c/0x16e0
[ 2.312969] ? qedf_get_generic_tlv_data+0x160/0x160
[ 2.312969] local_pci_probe+0x13c/0x1f0
[ 2.312969] pci_device_probe+0x37e/0x6c0
Link: https://lore.kernel.org/r/20211112120641.16073-1-fantasquex@gmail.com
Reported-by: Zheyu Ma <zheyuma97@gmail.com>
Acked-by: Saurav Kashyap <skashyap@marvell.com>
Co-developed-by: Wende Tan <twd2.me@gmail.com>
Signed-off-by: Wende Tan <twd2.me@gmail.com>
Signed-off-by: Letu Ren <fantasquex@gmail.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/qedf/qedf_main.c | 5 -----
1 file changed, 5 deletions(-)
diff --git a/drivers/scsi/qedf/qedf_main.c b/drivers/scsi/qedf/qedf_main.c
index 3d6b137314f3..bbc4d5890ae6 100644
--- a/drivers/scsi/qedf/qedf_main.c
+++ b/drivers/scsi/qedf/qedf_main.c
@@ -3686,11 +3686,6 @@ static int __qedf_probe(struct pci_dev *pdev, int mode)
err1:
scsi_host_put(lport->host);
err0:
- if (qedf) {
- QEDF_INFO(&qedf->dbg_ctx, QEDF_LOG_DISC, "Probe done.\n");
-
- clear_bit(QEDF_PROBING, &qedf->flags);
- }
return rc;
}
--
2.35.1
next prev parent reply other threads:[~2022-10-02 22:51 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-02 22:48 [PATCH AUTOSEL 5.19 01/29] firmware: arm_scmi: Improve checks in the info_get operations Sasha Levin
2022-10-02 22:48 ` [PATCH AUTOSEL 5.19 02/29] firmware: arm_scmi: Harden accesses to the sensor domains Sasha Levin
2022-10-02 22:48 ` [PATCH AUTOSEL 5.19 03/29] firmware: arm_scmi: Harden accesses to the reset domains Sasha Levin
2022-10-02 22:48 ` [PATCH AUTOSEL 5.19 04/29] firmware: arm_scmi: Add SCMI PM driver remove routine Sasha Levin
2022-10-02 22:48 ` [PATCH AUTOSEL 5.19 05/29] arm64: dts: rockchip: fix upper usb port on BPI-R2-Pro Sasha Levin
2022-10-02 22:48 ` [PATCH AUTOSEL 5.19 06/29] dmaengine: xilinx_dma: Fix devm_platform_ioremap_resource error handling Sasha Levin
2022-10-02 22:49 ` [PATCH AUTOSEL 5.19 07/29] dmaengine: xilinx_dma: cleanup for fetching xlnx,num-fstores property Sasha Levin
2022-10-02 22:49 ` [PATCH AUTOSEL 5.19 08/29] dmaengine: xilinx_dma: Report error in case of dma_set_mask_and_coherent API failure Sasha Levin
2022-10-02 22:49 ` [PATCH AUTOSEL 5.19 09/29] wifi: iwlwifi: don't spam logs with NSS>2 messages Sasha Levin
2022-10-02 22:49 ` [PATCH AUTOSEL 5.19 10/29] ARM: dts: fix Moxa SDIO 'compatible', remove 'sdhci' misnomer Sasha Levin
2022-10-02 22:49 ` [PATCH AUTOSEL 5.19 11/29] drm/amdgpu/mes: zero the sdma_hqd_mask of 2nd SDMA engine for SDMA 6.0.1 Sasha Levin
2022-10-02 22:49 ` Sasha Levin [this message]
2022-10-02 22:49 ` [PATCH AUTOSEL 5.19 13/29] net/ieee802154: fix uninit value bug in dgram_sendmsg Sasha Levin
2022-10-02 22:49 ` [PATCH AUTOSEL 5.19 14/29] net: marvell: prestera: add support for for Aldrin2 Sasha Levin
2022-10-02 22:49 ` [PATCH AUTOSEL 5.19 15/29] ALSA: hda/hdmi: Fix the converter reuse for the silent stream Sasha Levin
2022-10-02 22:49 ` [PATCH AUTOSEL 5.19 16/29] um: Cleanup syscall_handler_t cast in syscalls_32.h Sasha Levin
2022-10-02 22:49 ` [PATCH AUTOSEL 5.19 17/29] um: Cleanup compiler warning in arch/x86/um/tls_32.c Sasha Levin
2022-10-02 22:49 ` [PATCH AUTOSEL 5.19 18/29] gpio: ftgpio010: Make irqchip immutable Sasha Levin
2022-10-02 22:49 ` [PATCH AUTOSEL 5.19 19/29] Revert "block: freeze the queue earlier in del_gendisk" Sasha Levin
2022-10-02 22:49 ` [PATCH AUTOSEL 5.19 20/29] arch: um: Mark the stack non-executable to fix a binutils warning Sasha Levin
2022-10-02 22:49 ` [PATCH AUTOSEL 5.19 21/29] net: atlantic: fix potential memory leak in aq_ndev_close() Sasha Levin
2022-10-02 22:49 ` [PATCH AUTOSEL 5.19 22/29] KVM: s390: Pass initialized arg even if unused Sasha Levin
2022-10-02 22:49 ` [PATCH AUTOSEL 5.19 23/29] drm/amd/display: Fix double cursor on non-video RGB MPO Sasha Levin
2022-10-02 22:49 ` [PATCH AUTOSEL 5.19 24/29] drm/amd/display: Assume an LTTPR is always present on fixed_vs links Sasha Levin
2022-10-02 22:49 ` [PATCH AUTOSEL 5.19 25/29] drm/amd/display: update gamut remap if plane has changed Sasha Levin
2022-10-02 22:49 ` [PATCH AUTOSEL 5.19 26/29] drm/amd/display: skip audio setup when audio stream is enabled Sasha Levin
2022-10-02 22:49 ` [PATCH AUTOSEL 5.19 27/29] drm/amd/display: Fix DP MST timeslot issue when fallback happened Sasha Levin
2022-10-02 22:49 ` [PATCH AUTOSEL 5.19 28/29] drm/amd/display: increase dcn315 pstate change latency Sasha Levin
2022-10-02 22:49 ` [PATCH AUTOSEL 5.19 29/29] Makefile.debug: set -g unconditional on CONFIG_DEBUG_INFO_SPLIT Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221002224922.238837-12-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=GR-QLogic-Storage-Upstream@marvell.com \
--cc=fantasquex@gmail.com \
--cc=jejb@linux.ibm.com \
--cc=jhasan@marvell.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=skashyap@marvell.com \
--cc=stable@vger.kernel.org \
--cc=twd2.me@gmail.com \
--cc=zheyuma97@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox