Commit a4157aaf authored by Justin Tee's avatar Justin Tee Committed by Martin K. Petersen

scsi: lpfc: Fix use-after-free rport memory access in lpfc_register_remote_port()

Due to a target port D_ID swap, it is possible for the
lpfc_register_remote_port() routine to touch post mortem fc_rport memory
when trying to access fc_rport->dd_data.

The D_ID swap causes a simultaneous call to lpfc_unregister_remote_port(),
where fc_remote_port_delete() reclaims fc_rport memory.

Remove the fc_rport->dd_data->pnode NULL assignment because the following
line reassigns ndlp->rport with an fc_rport object from
fc_remote_port_add() anyways.  The pnode nullification is superfluous.
Signed-off-by: default avatarJustin Tee <justin.tee@broadcom.com>
Link: https://lore.kernel.org/r/20230523183206.7728-2-justintee8345@gmail.comAcked-by: default avatarMartin Wilck <mwilck@suse.com>
Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
parent fd9ffa6c
...@@ -4498,14 +4498,6 @@ lpfc_register_remote_port(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp) ...@@ -4498,14 +4498,6 @@ lpfc_register_remote_port(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp)
if (vport->load_flag & FC_UNLOADING) if (vport->load_flag & FC_UNLOADING)
return; return;
/*
* Disassociate any older association between this ndlp and rport
*/
if (ndlp->rport) {
rdata = ndlp->rport->dd_data;
rdata->pnode = NULL;
}
ndlp->rport = rport = fc_remote_port_add(shost, 0, &rport_ids); ndlp->rport = rport = fc_remote_port_add(shost, 0, &rport_ids);
if (!rport) { if (!rport) {
dev_printk(KERN_WARNING, &phba->pcidev->dev, dev_printk(KERN_WARNING, &phba->pcidev->dev,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment