From: James Smart <jsmart2021@gmail.com>
To: linux-scsi@vger.kernel.org
Cc: James Smart <jsmart2021@gmail.com>, Justin Tee <justin.tee@broadcom.com>
Subject: [PATCH v2 07/16] lpfc: Fix use-after-free on unused nodes after port swap
Date: Sun, 11 Apr 2021 18:31:18 -0700 [thread overview]
Message-ID: <20210412013127.2387-8-jsmart2021@gmail.com> (raw)
In-Reply-To: <20210412013127.2387-1-jsmart2021@gmail.com>
During target port swap, the swap logic ignores the DROPPED flag in
the nodes. As a node then moves into the UNUSED state, the reference
count will be dropped. If a node is later reused and moved out of the
UNUSED state, an access can result in a use-after-free assert.
Fix by having the port swap logic propagate the DROPPED flag when
switching nodes. This will avoid reference from being dropped.
Co-developed-by: Justin Tee <justin.tee@broadcom.com>
Signed-off-by: Justin Tee <justin.tee@broadcom.com>
Signed-off-by: James Smart <jsmart2021@gmail.com>
---
drivers/scsi/lpfc/lpfc_els.c | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c
index ed57d92e96e1..c919bedd931c 100644
--- a/drivers/scsi/lpfc/lpfc_els.c
+++ b/drivers/scsi/lpfc/lpfc_els.c
@@ -1691,6 +1691,15 @@ lpfc_plogi_confirm_nport(struct lpfc_hba *phba, uint32_t *prsp,
else
new_ndlp->nlp_flag &= ~NLP_RPI_REGISTERED;
+ /*
+ * Retain the DROPPED flag. This will take care of the init
+ * refcount when affecting the state change
+ */
+ if (keep_new_nlp_flag & NLP_DROPPED)
+ new_ndlp->nlp_flag |= NLP_DROPPED;
+ else
+ new_ndlp->nlp_flag &= ~NLP_DROPPED;
+
ndlp->nlp_flag = keep_new_nlp_flag;
/* if ndlp had NLP_UNREG_INP set, keep it */
@@ -1705,6 +1714,15 @@ lpfc_plogi_confirm_nport(struct lpfc_hba *phba, uint32_t *prsp,
else
ndlp->nlp_flag &= ~NLP_RPI_REGISTERED;
+ /*
+ * Retain the DROPPED flag. This will take care of the init
+ * refcount when affecting the state change
+ */
+ if (keep_nlp_flag & NLP_DROPPED)
+ ndlp->nlp_flag |= NLP_DROPPED;
+ else
+ ndlp->nlp_flag &= ~NLP_DROPPED;
+
spin_unlock_irq(&new_ndlp->lock);
spin_unlock_irq(&ndlp->lock);
--
2.26.2
next prev parent reply other threads:[~2021-04-12 1:32 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-12 1:31 [PATCH v2 00/16] lpfc: Update lpfc to revision 12.8.0.9 James Smart
2021-04-12 1:31 ` [PATCH v2 01/16] lpfc: Fix rmmod crash due to bad ring pointers to abort_iotag James Smart
2021-04-12 1:31 ` [PATCH v2 02/16] lpfc: Fix crash when a REG_RPI mailbox fails triggering a LOGO response James Smart
2021-04-12 1:31 ` [PATCH v2 03/16] lpfc: Fix reference counting errors in lpfc_cmpl_els_rsp() James Smart
2021-04-12 1:31 ` [PATCH v2 04/16] lpfc: Fix NMI crash during rmmod due to circular hbalock dependency James Smart
2021-04-12 1:31 ` [PATCH v2 05/16] lpfc: Fix lack of device removal on port swaps with PRLIs James Smart
2021-04-12 1:31 ` [PATCH v2 06/16] lpfc: Fix error handling for mailboxes completed in MBX_POLL mode James Smart
2021-04-12 1:31 ` James Smart [this message]
2021-04-12 1:31 ` [PATCH v2 08/16] lpfc: Fix silent memory allocation failure in lpfc_sli4_bsg_link_diag_test() James Smart
2021-04-12 1:31 ` [PATCH v2 09/16] lpfc: Fix missing FDMI registrations after Mgmt Svc login James Smart
2021-04-12 1:31 ` [PATCH v2 10/16] lpfc: Fix lpfc_hdw_queue attribute being ignored James Smart
2021-04-12 1:31 ` [PATCH v2 11/16] lpfc: Remove unsupported mbox PORT_CAPABILITIES logic James Smart
2021-04-12 1:31 ` [PATCH v2 12/16] lpfc: Fix various trivial errors in comments and log messages James Smart
2021-04-12 1:31 ` [PATCH v2 13/16] lpfc: Standardize discovery object logging format James Smart
2021-04-12 1:31 ` [PATCH v2 14/16] lpfc: Eliminate use of LPFC_DRIVER_NAME in lpfc_attr.c James Smart
2021-04-12 1:31 ` [PATCH v2 15/16] lpfc: Update lpfc version to 12.8.0.9 James Smart
2021-04-12 1:31 ` [PATCH v2 16/16] lpfc: Copyright updates for 12.8.0.9 patches James Smart
2021-04-13 5:19 ` [PATCH v2 00/16] lpfc: Update lpfc to revision 12.8.0.9 Martin K. Petersen
2021-04-16 2:51 ` Martin K. Petersen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210412013127.2387-8-jsmart2021@gmail.com \
--to=jsmart2021@gmail.com \
--cc=justin.tee@broadcom.com \
--cc=linux-scsi@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.