[PATCH AUTOSEL 5.14 64/75] scsi: lpfc: Fix use-after-free in lpfc_unreg_rpi() routine
From: Sasha Levin <sashal@kernel.org>
Date: 2021-11-09 22:29:42
Also in:
linux-scsi, lkml
Subsystem:
emulex/broadcom lpfc fc/fcoe scsi driver, scsi subsystem, the rest · Maintainers:
Justin Tee, Paul Ely, "James E.J. Bottomley", "Martin K. Petersen", Linus Torvalds
From: James Smart <redacted> [ Upstream commit 79b20beccea3a3938a8500acef4e6b9d7c66142f ] An error is detected with the following report when unloading the driver: "KASAN: use-after-free in lpfc_unreg_rpi+0x1b1b" The NLP_REG_LOGIN_SEND nlp_flag is set in lpfc_reg_fab_ctrl_node(), but the flag is not cleared upon completion of the login. This allows a second call to lpfc_unreg_rpi() to proceed with nlp_rpi set to LPFC_RPI_ALLOW_ERROR. This results in a use after free access when used as an rpi_ids array index. Fix by clearing the NLP_REG_LOGIN_SEND nlp_flag in lpfc_mbx_cmpl_fc_reg_login(). Link: https://lore.kernel.org/r/20211020211417.88754-5-jsmart2021@gmail.com (local) Co-developed-by: Justin Tee <justin.tee@broadcom.com> Signed-off-by: Justin Tee <justin.tee@broadcom.com> Signed-off-by: James Smart <redacted> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> Signed-off-by: Sasha Levin <sashal@kernel.org> --- drivers/scsi/lpfc/lpfc_hbadisc.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/drivers/scsi/lpfc/lpfc_hbadisc.c b/drivers/scsi/lpfc/lpfc_hbadisc.c
index 7cc5920979f8a..6a7754105ce3a 100644
--- a/drivers/scsi/lpfc/lpfc_hbadisc.c
+++ b/drivers/scsi/lpfc/lpfc_hbadisc.c@@ -4340,6 +4340,7 @@ lpfc_mbx_cmpl_fc_reg_login(struct lpfc_hba *phba, LPFC_MBOXQ_t *pmb) ndlp->nlp_state); ndlp->nlp_flag |= NLP_RPI_REGISTERED; + ndlp->nlp_flag &= ~NLP_REG_LOGIN_SEND; ndlp->nlp_type |= NLP_FABRIC; lpfc_nlp_set_state(vport, ndlp, NLP_STE_UNMAPPED_NODE);
--
2.33.0