diff options
| author | Björn Bidar | 2022-06-24 20:03:01 +0300 |
|---|---|---|
| committer | Björn Bidar | 2022-06-25 16:46:45 +0300 |
| commit | 657059c03d46120dea746abb196d9d622e21fe5f (patch) | |
| tree | 2ae07d28cd858ef0cda12e3c8af27932d06c0fbb /0028-scsi-lpfc-Resolve-NULL-ptr-dereference-after-an-ELS-.patch | |
| parent | 034adcf2fd3311bba3f58b8575b0be699ab3bd70 (diff) | |
| download | aur-657059c03d46120dea746abb196d9d622e21fe5f.tar.gz | |
Update to 5.18.6.p2-1
- New upstream release based on 5.18.5
- Add MGLRU Zen patch
- Add linux-5.18.6 patches
- Move System.map from -headers into the base package to avoid
external modules having wrong bpf symbols when running optimized
builds. Fixes #5
- Remove M/m from CPUSUFFIXES_KBUILD and LCPU, fixes build failing
when selecting an optimized build architecture that is not genering.
Fixes #6.
Signed-off-by: Björn Bidar <bjorn.bidar@thaodan.de>
Diffstat (limited to '0028-scsi-lpfc-Resolve-NULL-ptr-dereference-after-an-ELS-.patch')
| -rw-r--r-- | 0028-scsi-lpfc-Resolve-NULL-ptr-dereference-after-an-ELS-.patch | 74 |
1 files changed, 74 insertions, 0 deletions
diff --git a/0028-scsi-lpfc-Resolve-NULL-ptr-dereference-after-an-ELS-.patch b/0028-scsi-lpfc-Resolve-NULL-ptr-dereference-after-an-ELS-.patch new file mode 100644 index 000000000000..9a8f2487cb23 --- /dev/null +++ b/0028-scsi-lpfc-Resolve-NULL-ptr-dereference-after-an-ELS-.patch @@ -0,0 +1,74 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: James Smart <jsmart2021@gmail.com> +Date: Fri, 3 Jun 2022 10:43:25 -0700 +Subject: [PATCH] scsi: lpfc: Resolve NULL ptr dereference after an ELS LOGO is + aborted + +[ Upstream commit b1b3440f437b75fb2a9b0cfe58df461e40eca474 ] + +A use-after-free crash can occur after an ELS LOGO is aborted. + +Specifically, a nodelist structure is freed and then +ndlp->vport->cfg_log_verbose is dereferenced in lpfc_nlp_get() when the +discovery state machine is mistakenly called a second time with +NLP_EVT_DEVICE_RM argument. + +Rework lpfc_cmpl_els_logo() to prevent the duplicate calls to release a +nodelist structure. + +Link: https://lore.kernel.org/r/20220603174329.63777-6-jsmart2021@gmail.com +Co-developed-by: Justin Tee <justin.tee@broadcom.com> +Signed-off-by: Justin Tee <justin.tee@broadcom.com> +Signed-off-by: James Smart <jsmart2021@gmail.com> +Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + drivers/scsi/lpfc/lpfc_els.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c +index 892b3da1ba4508e3f06c8b48bd4cdc09764db642..9e389958003900896224066091d8f2cec8a942af 100644 +--- a/drivers/scsi/lpfc/lpfc_els.c ++++ b/drivers/scsi/lpfc/lpfc_els.c +@@ -3035,18 +3035,10 @@ lpfc_cmpl_els_logo(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb, + spin_unlock_irq(&ndlp->lock); + lpfc_disc_state_machine(vport, ndlp, cmdiocb, + NLP_EVT_DEVICE_RM); +- lpfc_els_free_iocb(phba, cmdiocb); +- lpfc_nlp_put(ndlp); +- +- /* Presume the node was released. */ +- return; ++ goto out_rsrc_free; + } + + out: +- /* Driver is done with the IO. */ +- lpfc_els_free_iocb(phba, cmdiocb); +- lpfc_nlp_put(ndlp); +- + /* At this point, the LOGO processing is complete. NOTE: For a + * pt2pt topology, we are assuming the NPortID will only change + * on link up processing. For a LOGO / PLOGI initiated by the +@@ -3073,6 +3065,10 @@ lpfc_cmpl_els_logo(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb, + ndlp->nlp_DID, ulp_status, + ulp_word4, tmo, + vport->num_disc_nodes); ++ ++ lpfc_els_free_iocb(phba, cmdiocb); ++ lpfc_nlp_put(ndlp); ++ + lpfc_disc_start(vport); + return; + } +@@ -3089,6 +3085,10 @@ lpfc_cmpl_els_logo(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb, + lpfc_disc_state_machine(vport, ndlp, cmdiocb, + NLP_EVT_DEVICE_RM); + } ++out_rsrc_free: ++ /* Driver is done with the I/O. */ ++ lpfc_els_free_iocb(phba, cmdiocb); ++ lpfc_nlp_put(ndlp); + } + + /** |