| From 40bc9c18e30ba8197959d0ed96d0a94999b81050 Mon Sep 17 00:00:00 2001 |
| From: James Smart <jsmart2021@gmail.com> |
| Date: Tue, 12 Mar 2019 16:30:06 -0700 |
| Subject: scsi: lpfc: Fix use-after-free mailbox cmd completion |
| |
| [ Upstream commit 9b1640686470fbbd1c6efb35ada6fe1427ea8d0f ] |
| |
| When unloading the driver, mailbox commands may be sent without holding a |
| reference on the ndlp. By the time the mailbox command completes, the ndlp |
| may have reduced its ref counts and been freed. The problem was reported |
| by KASAN. |
| |
| While unregistering due to driver unload, have the completion noop'd by |
| setting the ndlp context NULL'd. Due to the unload, no further action was |
| necessary. Also, while reviewing this path, the generic nulling of the |
| context after handling should be slightly moved. |
| |
| Reported by: Bart Van Assche <bvanassche@acm.org> |
| Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com> |
| Signed-off-by: James Smart <jsmart2021@gmail.com> |
| Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| drivers/scsi/lpfc/lpfc_hbadisc.c | 4 ++++ |
| drivers/scsi/lpfc/lpfc_sli.c | 2 +- |
| 2 files changed, 5 insertions(+), 1 deletion(-) |
| |
| diff --git a/drivers/scsi/lpfc/lpfc_hbadisc.c b/drivers/scsi/lpfc/lpfc_hbadisc.c |
| index 676f4bf3f33a3..75e9d46d44d42 100644 |
| --- a/drivers/scsi/lpfc/lpfc_hbadisc.c |
| +++ b/drivers/scsi/lpfc/lpfc_hbadisc.c |
| @@ -4873,6 +4873,10 @@ lpfc_unreg_rpi(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp) |
| * accept PLOGIs after unreg_rpi_cmpl |
| */ |
| acc_plogi = 0; |
| + } else if (vport->load_flag & FC_UNLOADING) { |
| + mbox->ctx_ndlp = NULL; |
| + mbox->mbox_cmpl = |
| + lpfc_sli_def_mbox_cmpl; |
| } else { |
| mbox->ctx_ndlp = ndlp; |
| mbox->mbox_cmpl = |
| diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c |
| index 7d2abb70cf093..dc933b6d7800e 100644 |
| --- a/drivers/scsi/lpfc/lpfc_sli.c |
| +++ b/drivers/scsi/lpfc/lpfc_sli.c |
| @@ -2502,8 +2502,8 @@ lpfc_sli_def_mbox_cmpl(struct lpfc_hba *phba, LPFC_MBOXQ_t *pmb) |
| } else { |
| ndlp->nlp_flag &= ~NLP_UNREG_INP; |
| } |
| + pmb->ctx_ndlp = NULL; |
| } |
| - pmb->ctx_ndlp = NULL; |
| } |
| |
| /* Check security permission status on INIT_LINK mailbox command */ |
| -- |
| 2.20.1 |
| |