From: James Smart <jsmart2021@gmail.com>
To: linux-scsi@vger.kernel.org
Cc: James Smart <jsmart2021@gmail.com>,
Dick Kennedy <dick.kennedy@broadcom.com>
Subject: [PATCH v2 09/22] lpfc: Fix null pointer dereference in lpfc_prep_els_iocb()
Date: Mon, 1 Mar 2021 09:18:08 -0800 [thread overview]
Message-ID: <20210301171821.3427-10-jsmart2021@gmail.com> (raw)
In-Reply-To: <20210301171821.3427-1-jsmart2021@gmail.com>
It is possible to call lpfc_issue_els_plogi() passing a did for which
no matching ndlp is found. A call is then made to lpfc_prep_els_iocb()
with a null pointer to a lpfc_nodelist structure resulting in a null
pointer dereference.
Fix by returning an error status if no valid ndlp is found. Fix up comments
regarding ndlp reference counting.
Fixes: 4430f7fd09ec ("scsi: lpfc: Rework locations of ndlp reference taking")
Co-developed-by: Dick Kennedy <dick.kennedy@broadcom.com>
Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
Signed-off-by: James Smart <jsmart2021@gmail.com>
---
drivers/scsi/lpfc/lpfc_els.c | 50 +++++++++++++++++-------------------
1 file changed, 24 insertions(+), 26 deletions(-)
diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c
index e0454c53267b..de67ba76374a 100644
--- a/drivers/scsi/lpfc/lpfc_els.c
+++ b/drivers/scsi/lpfc/lpfc_els.c
@@ -1,7 +1,7 @@
/*******************************************************************
* This file is part of the Emulex Linux Device Driver for *
* Fibre Channel Host Bus Adapters. *
- * Copyright (C) 2017-2020 Broadcom. All Rights Reserved. The term *
+ * Copyright (C) 2017-2021 Broadcom. All Rights Reserved. The term *
* “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. *
* Copyright (C) 2004-2016 Emulex. All rights reserved. *
* EMULEX and SLI are trademarks of Emulex. *
@@ -2052,13 +2052,12 @@ lpfc_cmpl_els_plogi(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb,
* This routine issues a Port Login (PLOGI) command to a remote N_Port
* (with the @did) for a @vport. Before issuing a PLOGI to a remote N_Port,
* the ndlp with the remote N_Port DID must exist on the @vport's ndlp list.
- * This routine constructs the proper feilds of the PLOGI IOCB and invokes
+ * This routine constructs the proper fields of the PLOGI IOCB and invokes
* the lpfc_sli_issue_iocb() routine to send out PLOGI ELS command.
*
- * Note that, in lpfc_prep_els_iocb() routine, the reference count of ndlp
- * will be incremented by 1 for holding the ndlp and the reference to ndlp
- * will be stored into the context1 field of the IOCB for the completion
- * callback function to the PLOGI ELS command.
+ * Note that the ndlp reference count will be incremented by 1 for holding
+ * the ndlp and the reference to ndlp will be stored into the context1 field
+ * of the IOCB for the completion callback function to the PLOGI ELS command.
*
* Return code
* 0 - Successfully issued a plogi for @vport
@@ -2076,29 +2075,28 @@ lpfc_issue_els_plogi(struct lpfc_vport *vport, uint32_t did, uint8_t retry)
int ret;
ndlp = lpfc_findnode_did(vport, did);
+ if (!ndlp)
+ return 1;
- if (ndlp) {
- /* Defer the processing of the issue PLOGI until after the
- * outstanding UNREG_RPI mbox command completes, unless we
- * are going offline. This logic does not apply for Fabric DIDs
- */
- if ((ndlp->nlp_flag & NLP_UNREG_INP) &&
- ((ndlp->nlp_DID & Fabric_DID_MASK) != Fabric_DID_MASK) &&
- !(vport->fc_flag & FC_OFFLINE_MODE)) {
- lpfc_printf_vlog(vport, KERN_INFO, LOG_DISCOVERY,
- "4110 Issue PLOGI x%x deferred "
- "on NPort x%x rpi x%x Data: x%px\n",
- ndlp->nlp_defer_did, ndlp->nlp_DID,
- ndlp->nlp_rpi, ndlp);
-
- /* We can only defer 1st PLOGI */
- if (ndlp->nlp_defer_did == NLP_EVT_NOTHING_PENDING)
- ndlp->nlp_defer_did = did;
- return 0;
- }
+ /* Defer the processing of the issue PLOGI until after the
+ * outstanding UNREG_RPI mbox command completes, unless we
+ * are going offline. This logic does not apply for Fabric DIDs
+ */
+ if ((ndlp->nlp_flag & NLP_UNREG_INP) &&
+ ((ndlp->nlp_DID & Fabric_DID_MASK) != Fabric_DID_MASK) &&
+ !(vport->fc_flag & FC_OFFLINE_MODE)) {
+ lpfc_printf_vlog(vport, KERN_INFO, LOG_DISCOVERY,
+ "4110 Issue PLOGI x%x deferred "
+ "on NPort x%x rpi x%x Data: x%px\n",
+ ndlp->nlp_defer_did, ndlp->nlp_DID,
+ ndlp->nlp_rpi, ndlp);
+
+ /* We can only defer 1st PLOGI */
+ if (ndlp->nlp_defer_did == NLP_EVT_NOTHING_PENDING)
+ ndlp->nlp_defer_did = did;
+ return 0;
}
- /* If ndlp is not NULL, we will bump the reference count on it */
cmdsize = (sizeof(uint32_t) + sizeof(struct serv_parm));
elsiocb = lpfc_prep_els_iocb(vport, 1, cmdsize, retry, ndlp, did,
ELS_CMD_PLOGI);
--
2.26.2
next prev parent reply other threads:[~2021-03-01 17:25 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-01 17:17 [PATCH v2 00/22] lpfc: Update lpfc to revision 12.8.0.8 James Smart
2021-03-01 17:18 ` [PATCH v2 01/22] lpfc: Fix incorrect dbde assignment when building target abts wqe James Smart
2021-03-01 17:18 ` [PATCH v2 02/22] lpfc: Fix vport indices in lpfc_find_vport_by_vpid() James Smart
2021-03-01 17:18 ` [PATCH v2 03/22] lpfc: Fix reftag generation sizing errors James Smart
2021-03-01 17:18 ` [PATCH v2 04/22] lpfc: Fix stale node accesses on stale RRQ request James Smart
2021-03-01 17:18 ` [PATCH v2 05/22] lpfc: Fix FLOGI failure due to accessing a freed node James Smart
2021-03-01 17:18 ` [PATCH v2 06/22] lpfc: Fix lpfc_els_retry() possible null pointer dereference James Smart
2021-03-01 17:18 ` [PATCH v2 07/22] lpfc: Fix pt2pt connection does not recover after LOGO James Smart
2021-03-01 17:18 ` [PATCH v2 08/22] lpfc: Fix unnecessary null check in lpfc_release_scsi_buf James Smart
2021-03-01 17:18 ` James Smart [this message]
2021-03-01 17:18 ` [PATCH v2 10/22] lpfc: Fix use after free in lpfc_els_free_iocb James Smart
2021-03-01 17:18 ` [PATCH v2 11/22] lpfc: Fix status returned in lpfc_els_retry() error exit path James Smart
2021-03-01 17:18 ` [PATCH v2 12/22] lpfc: Fix dropped FLOGI during pt2pt discovery recovery James Smart
2021-03-01 17:18 ` [PATCH v2 13/22] lpfc: Fix PLOGI ACC to be transmit after REG_LOGIN James Smart
2021-03-01 17:18 ` [PATCH v2 14/22] lpfc: Fix ADISC handling that never frees nodes James Smart
2021-03-01 17:18 ` [PATCH v2 15/22] lpfc: Fix nodeinfo debugfs output James Smart
2021-03-01 17:18 ` [PATCH v2 16/22] lpfc: Fix pt2pt state transition causing rmmod hang James Smart
2021-03-01 17:18 ` [PATCH v2 17/22] lpfc: Fix crash caused by switch reboot James Smart
2021-03-01 17:18 ` [PATCH v2 18/22] lpfc: Change wording of invalid pci reset log message James Smart
2021-03-01 17:18 ` [PATCH v2 19/22] lpfc: Reduce LOG_TRACE_EVENT logging for vports James Smart
2021-03-01 17:18 ` [PATCH v2 20/22] lpfc: Correct function header comments related to ndlp reference counting James Smart
2021-03-01 17:18 ` [PATCH v2 21/22] lpfc: Update lpfc version to 12.8.0.8 James Smart
2021-03-01 17:18 ` [PATCH v2 22/22] lpfc: update copyrights for 12.8.0.7 and 12.8.0.8 changes James Smart
2021-03-04 3:44 ` [PATCH v2 00/22] lpfc: Update lpfc to revision 12.8.0.8 Martin K. Petersen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210301171821.3427-10-jsmart2021@gmail.com \
--to=jsmart2021@gmail.com \
--cc=dick.kennedy@broadcom.com \
--cc=linux-scsi@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.