From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Zheyu Ma <zheyuma97@gmail.com>,
Saurav Kashyap <skashyap@marvell.com>,
Wende Tan <twd2.me@gmail.com>, Letu Ren <fantasquex@gmail.com>,
"Martin K. Petersen" <martin.petersen@oracle.com>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.4 08/38] scsi: qedf: Fix a UAF bug in __qedf_probe()
Date: Thu, 13 Oct 2022 19:52:09 +0200 [thread overview]
Message-ID: <20221013175144.546603830@linuxfoundation.org> (raw)
In-Reply-To: <20221013175144.245431424@linuxfoundation.org>
From: Letu Ren <fantasquex@gmail.com>
[ Upstream commit fbfe96869b782364caebae0445763969ddb6ea67 ]
In __qedf_probe(), if qedf->cdev is NULL which means
qed_ops->common->probe() failed, then the program will goto label err1, and
scsi_host_put() will free lport->host pointer. Because the memory qedf
points to is allocated by libfc_host_alloc(), it will be freed by
scsi_host_put(). However, the if statement below label err0 only checks
whether qedf is NULL but doesn't check whether the memory has been freed.
So a UAF bug can occur.
There are two ways to reach the statements below err0. The first one is
described as before, "qedf" should be set to NULL. The second one is goto
"err0" directly. In the latter scenario qedf hasn't been changed and it has
the initial value NULL. As a result the if statement is not reachable in
any situation.
The KASAN logs are as follows:
[ 2.312969] BUG: KASAN: use-after-free in __qedf_probe+0x5dcf/0x6bc0
[ 2.312969]
[ 2.312969] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
[ 2.312969] Call Trace:
[ 2.312969] dump_stack_lvl+0x59/0x7b
[ 2.312969] print_address_description+0x7c/0x3b0
[ 2.312969] ? __qedf_probe+0x5dcf/0x6bc0
[ 2.312969] __kasan_report+0x160/0x1c0
[ 2.312969] ? __qedf_probe+0x5dcf/0x6bc0
[ 2.312969] kasan_report+0x4b/0x70
[ 2.312969] ? kobject_put+0x25d/0x290
[ 2.312969] kasan_check_range+0x2ca/0x310
[ 2.312969] __qedf_probe+0x5dcf/0x6bc0
[ 2.312969] ? selinux_kernfs_init_security+0xdc/0x5f0
[ 2.312969] ? trace_rpm_return_int_rcuidle+0x18/0x120
[ 2.312969] ? rpm_resume+0xa5c/0x16e0
[ 2.312969] ? qedf_get_generic_tlv_data+0x160/0x160
[ 2.312969] local_pci_probe+0x13c/0x1f0
[ 2.312969] pci_device_probe+0x37e/0x6c0
Link: https://lore.kernel.org/r/20211112120641.16073-1-fantasquex@gmail.com
Reported-by: Zheyu Ma <zheyuma97@gmail.com>
Acked-by: Saurav Kashyap <skashyap@marvell.com>
Co-developed-by: Wende Tan <twd2.me@gmail.com>
Signed-off-by: Wende Tan <twd2.me@gmail.com>
Signed-off-by: Letu Ren <fantasquex@gmail.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/qedf/qedf_main.c | 5 -----
1 file changed, 5 deletions(-)
diff --git a/drivers/scsi/qedf/qedf_main.c b/drivers/scsi/qedf/qedf_main.c
index c95e04cc6424..f864ef059d29 100644
--- a/drivers/scsi/qedf/qedf_main.c
+++ b/drivers/scsi/qedf/qedf_main.c
@@ -3544,11 +3544,6 @@ static int __qedf_probe(struct pci_dev *pdev, int mode)
err1:
scsi_host_put(lport->host);
err0:
- if (qedf) {
- QEDF_INFO(&qedf->dbg_ctx, QEDF_LOG_DISC, "Probe done.\n");
-
- clear_bit(QEDF_PROBING, &qedf->flags);
- }
return rc;
}
--
2.35.1
next prev parent reply other threads:[~2022-10-13 17:54 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-13 17:52 [PATCH 5.4 00/38] 5.4.218-rc1 review Greg Kroah-Hartman
2022-10-13 17:52 ` [PATCH 5.4 01/38] mm: pagewalk: Fix race between unmap and page walker Greg Kroah-Hartman
2022-10-13 17:52 ` [PATCH 5.4 02/38] perf tools: Fixup get_current_dir_name() compilation Greg Kroah-Hartman
2022-10-13 17:52 ` [PATCH 5.4 03/38] fs: fix UAF/GPF bug in nilfs_mdt_destroy Greg Kroah-Hartman
2022-10-13 17:52 ` [PATCH 5.4 04/38] firmware: arm_scmi: Add SCMI PM driver remove routine Greg Kroah-Hartman
2022-10-13 17:52 ` [PATCH 5.4 05/38] dmaengine: xilinx_dma: cleanup for fetching xlnx,num-fstores property Greg Kroah-Hartman
2022-10-13 17:52 ` [PATCH 5.4 06/38] dmaengine: xilinx_dma: Report error in case of dma_set_mask_and_coherent API failure Greg Kroah-Hartman
2022-10-13 17:52 ` [PATCH 5.4 07/38] ARM: dts: fix Moxa SDIO compatible, remove sdhci misnomer Greg Kroah-Hartman
2022-10-13 17:52 ` Greg Kroah-Hartman [this message]
2022-10-13 17:52 ` [PATCH 5.4 09/38] net/ieee802154: fix uninit value bug in dgram_sendmsg Greg Kroah-Hartman
2022-10-13 17:52 ` [PATCH 5.4 10/38] um: Cleanup syscall_handler_t cast in syscalls_32.h Greg Kroah-Hartman
2022-10-13 17:52 ` [PATCH 5.4 11/38] um: Cleanup compiler warning in arch/x86/um/tls_32.c Greg Kroah-Hartman
2022-10-13 17:52 ` [PATCH 5.4 12/38] arch: um: Mark the stack non-executable to fix a binutils warning Greg Kroah-Hartman
2022-10-13 17:52 ` [PATCH 5.4 13/38] usb: mon: make mmapped memory read only Greg Kroah-Hartman
2022-10-13 17:52 ` [PATCH 5.4 14/38] USB: serial: ftdi_sio: fix 300 bps rate for SIO Greg Kroah-Hartman
2022-10-13 17:52 ` [PATCH 5.4 15/38] mmc: core: Replace with already defined values for readability Greg Kroah-Hartman
2022-10-13 17:52 ` [PATCH 5.4 16/38] mmc: core: Terminate infinite loop in SD-UHS voltage switch Greg Kroah-Hartman
2022-10-13 17:52 ` [PATCH 5.4 17/38] rpmsg: qcom: glink: replace strncpy() with strscpy_pad() Greg Kroah-Hartman
2022-10-13 17:52 ` [PATCH 5.4 18/38] nilfs2: fix NULL pointer dereference at nilfs_bmap_lookup_at_level() Greg Kroah-Hartman
2022-10-13 17:52 ` [PATCH 5.4 19/38] nilfs2: fix leak of nilfs_root in case of writer thread creation failure Greg Kroah-Hartman
2022-10-13 17:52 ` [PATCH 5.4 20/38] nilfs2: replace WARN_ONs by nilfs_error for checkpoint acquisition failure Greg Kroah-Hartman
2022-10-13 17:52 ` [PATCH 5.4 21/38] ceph: dont truncate file in atomic_open Greg Kroah-Hartman
2022-10-13 17:52 ` [PATCH 5.4 22/38] random: clamp credited irq bits to maximum mixed Greg Kroah-Hartman
2022-10-13 17:52 ` [PATCH 5.4 23/38] ALSA: hda: Fix position reporting on Poulsbo Greg Kroah-Hartman
2022-10-13 17:52 ` [PATCH 5.4 24/38] efi: Correct Macmini DMI match in uefi cert quirk Greg Kroah-Hartman
2022-10-13 17:52 ` [PATCH 5.4 25/38] scsi: stex: Properly zero out the passthrough command structure Greg Kroah-Hartman
2022-10-13 17:52 ` [PATCH 5.4 26/38] USB: serial: qcserial: add new usb-id for Dell branded EM7455 Greg Kroah-Hartman
2022-10-13 17:52 ` [PATCH 5.4 27/38] random: restore O_NONBLOCK support Greg Kroah-Hartman
2022-10-13 17:52 ` [PATCH 5.4 28/38] random: avoid reading two cache lines on irq randomness Greg Kroah-Hartman
2022-10-13 17:52 ` [PATCH 5.4 29/38] random: use expired timer rather than wq for mixing fast pool Greg Kroah-Hartman
2022-10-13 17:52 ` [PATCH 5.4 30/38] wifi: cfg80211: fix u8 overflow in cfg80211_update_notlisted_nontrans() Greg Kroah-Hartman
2022-10-13 17:52 ` [PATCH 5.4 31/38] wifi: cfg80211/mac80211: reject bad MBSSID elements Greg Kroah-Hartman
2022-10-13 17:52 ` [PATCH 5.4 32/38] wifi: cfg80211: ensure length byte is present before access Greg Kroah-Hartman
2022-10-13 17:52 ` [PATCH 5.4 33/38] wifi: cfg80211: fix BSS refcounting bugs Greg Kroah-Hartman
2022-10-13 17:52 ` [PATCH 5.4 34/38] wifi: cfg80211: avoid nontransmitted BSS list corruption Greg Kroah-Hartman
2022-10-13 17:52 ` [PATCH 5.4 35/38] wifi: mac80211_hwsim: avoid mac80211 warning on bad rate Greg Kroah-Hartman
2022-10-13 17:52 ` [PATCH 5.4 36/38] wifi: cfg80211: update hidden BSSes to avoid WARN_ON Greg Kroah-Hartman
2022-10-13 17:52 ` [PATCH 5.4 37/38] Input: xpad - add supported devices as contributed on github Greg Kroah-Hartman
2022-10-13 17:52 ` [PATCH 5.4 38/38] Input: xpad - fix wireless 360 controller breaking after suspend Greg Kroah-Hartman
2022-10-13 20:04 ` [PATCH 5.4 00/38] 5.4.218-rc1 review Florian Fainelli
2022-10-14 11:15 ` Naresh Kamboju
2022-10-14 11:47 ` Sudip Mukherjee (Codethink)
2022-10-14 15:46 ` Shuah Khan
2022-10-14 15:54 ` Jon Hunter
2022-10-14 23:07 ` Guenter Roeck
2022-10-17 1:35 ` zhouzhixiu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221013175144.546603830@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=fantasquex@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=sashal@kernel.org \
--cc=skashyap@marvell.com \
--cc=stable@vger.kernel.org \
--cc=twd2.me@gmail.com \
--cc=zheyuma97@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).