From patchwork Mon Jul 22 21:03:48 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Bethany Jamison <bethany.jamison@canonical.com>
X-Patchwork-Id: 1963431
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=185.125.189.65; helo=lists.ubuntu.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com;
 receiver=patchwork.ozlabs.org)
Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4WSXnx6dbpz1ybY
	for <incoming@patchwork.ozlabs.org>; Tue, 23 Jul 2024 07:04:05 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com)
	by lists.ubuntu.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1sW0CI-0006S8-It; Mon, 22 Jul 2024 21:03:54 +0000
Received: from smtp-relay-internal-0.internal ([10.131.114.225]
 helo=smtp-relay-internal-0.canonical.com)
 by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.86_2) (envelope-from <bethany.jamison@canonical.com>)
 id 1sW0CG-0006Rc-3i
 for kernel-team@lists.ubuntu.com; Mon, 22 Jul 2024 21:03:52 +0000
Received: from mail-io1-f71.google.com (mail-io1-f71.google.com
 [209.85.166.71])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id CC6153F735
 for <kernel-team@lists.ubuntu.com>; Mon, 22 Jul 2024 21:03:51 +0000 (UTC)
Received: by mail-io1-f71.google.com with SMTP id
 ca18e2360f4ac-81ad0e64ff4so548631039f.2
 for <kernel-team@lists.ubuntu.com>; Mon, 22 Jul 2024 14:03:51 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1721682230; x=1722287030;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=wGDzyARcdXDycQiZUn1HjXu99GTyqqy1bufiOYKgsgQ=;
 b=WCIF2jtCFm/yLYV0Gx2bJm0+mXAvCA2XuizaR7IJ9gmqZL8O3+qLEgkQUYSpZJBfAL
 bFc89qzHVSLNjncfIsBLbB6fyz94Xxx6XTKQ72ISQKqzbrFUslqDdfeatWNKgQDiWrk2
 lu/6RfLm2wGvrWbqevRtMpCpUDrC8NM21d9+BNWCj86snELFEjJwpYH2Tc+lkrNYe2PX
 otGanw6ht9AAaLuLcxUURQN2EHb5Db00czaQdg3yyR9NrSP1/VkCtzZk8mw3UMh7y7IJ
 9Icc7ZhnD2c3iGaU0mo7e34CDYRMUPTLMvMymHcfa9RzmkQCTDyYGYlA58JQhNCqNOoo
 DgjA==
X-Gm-Message-State: AOJu0Yw/WkyFkH4prLcIjfiM6iAzTG/SHdrxRUUwSJPX6Q5rSYTrd4PS
 v8qe5fwuISgGsWvq5YC2LtMAvVG7EG3YETs+cO66UQF5zOl9SwWFBOPh+qe9/ueCHD9Gi3eMe0B
 WfGIna9pb0PXnKn43a1PrIcBipj9wOd02HyVpkRpC/ncaabOotOkAEno5DnTBgfjPEY/3lvLWyr
 WoIh8gvLwsNg==
X-Received: by 2002:a05:6602:6196:b0:81e:23c9:3f69 with SMTP id
 ca18e2360f4ac-81e23c94004mr275603839f.7.1721682230534;
 Mon, 22 Jul 2024 14:03:50 -0700 (PDT)
X-Google-Smtp-Source: 
 AGHT+IEeOc/CWNiCaolDw8Pk3Yzyhyt9lUTJbFpuU2Kbqm29WnsjL41nyzbWBoP/gc224/6Zq8gD0w==
X-Received: by 2002:a05:6602:6196:b0:81e:23c9:3f69 with SMTP id
 ca18e2360f4ac-81e23c94004mr275601739f.7.1721682230195;
 Mon, 22 Jul 2024 14:03:50 -0700 (PDT)
Received: from smtp.gmail.com
 (167-248-51-36.oa02.lnk04.ne.dynamic.allophone.net. [167.248.51.36])
 by smtp.gmail.com with ESMTPSA id
 8926c6da1cb9f-4c2342bf480sm1831245173.17.2024.07.22.14.03.49
 for <kernel-team@lists.ubuntu.com>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 22 Jul 2024 14:03:50 -0700 (PDT)
From: Bethany Jamison <bethany.jamison@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][F][PATCH 1/1] scsi: qla2xxx: Fix double free of fcport
Date: Mon, 22 Jul 2024 16:03:48 -0500
Message-Id: <20240722210348.30814-2-bethany.jamison@canonical.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240722210348.30814-1-bethany.jamison@canonical.com>
References: <20240722210348.30814-1-bethany.jamison@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Saurav Kashyap <skashyap@marvell.com>

The server was crashing after LOGO because fcport was getting freed twice.

 -----------[ cut here ]-----------
 kernel BUG at mm/slub.c:371!
 invalid opcode: 0000 1 SMP PTI
 CPU: 35 PID: 4610 Comm: bash Kdump: loaded Tainted: G OE --------- - - 4.18.0-425.3.1.el8.x86_64 #1
 Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 09/03/2021
 RIP: 0010:set_freepointer.part.57+0x0/0x10
 RSP: 0018:ffffb07107027d90 EFLAGS: 00010246
 RAX: ffff9cb7e3150000 RBX: ffff9cb7e332b9c0 RCX: ffff9cb7e3150400
 RDX: 0000000000001f37 RSI: 0000000000000000 RDI: ffff9cb7c0005500
 RBP: fffff693448c5400 R08: 0000000080000000 R09: 0000000000000009
 R10: 0000000000000000 R11: 0000000000132af0 R12: ffff9cb7c0005500
 R13: ffff9cb7e3150000 R14: ffffffffc06990e0 R15: ffff9cb7ea85ea58
 FS: 00007ff6b79c2740(0000) GS:ffff9cb8f7ec0000(0000) knlGS:0000000000000000
 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 000055b426b7d700 CR3: 0000000169c18002 CR4: 00000000007706e0
 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
 PKRU: 55555554
 Call Trace:
 kfree+0x238/0x250
 qla2x00_els_dcmd_sp_free+0x20/0x230 [qla2xxx]
 ? qla24xx_els_dcmd_iocb+0x607/0x690 [qla2xxx]
 qla2x00_issue_logo+0x28c/0x2a0 [qla2xxx]
 ? qla2x00_issue_logo+0x28c/0x2a0 [qla2xxx]
 ? kernfs_fop_write+0x11e/0x1a0

Remove one of the free calls and add check for valid fcport. Also use
function qla2x00_free_fcport() instead of kfree().

Cc: stable@vger.kernel.org
Signed-off-by: Saurav Kashyap <skashyap@marvell.com>
Signed-off-by: Nilesh Javali <njavali@marvell.com>
Link: https://lore.kernel.org/r/20240227164127.36465-9-njavali@marvell.com
Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
(backported from commit 82f522ae0d97119a43da53e0f729275691b9c525)
[bjamison: replaced 'qla2x000_froo_fcport(fcport)' with 'kfree(sp->fcport)'
because qla2x000_free_fcport is not defined and is not easily added
kfree should be a substitute for the original intention of the fix change]
CVE-2024-26929
Signed-off-by: Bethany Jamison <bethany.jamison@canonical.com>
---
 drivers/scsi/qla2xxx/qla_iocb.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/scsi/qla2xxx/qla_iocb.c b/drivers/scsi/qla2xxx/qla_iocb.c
index 716f46a67bcda..e2493394dbda3 100644
--- a/drivers/scsi/qla2xxx/qla_iocb.c
+++ b/drivers/scsi/qla2xxx/qla_iocb.c
@@ -2520,7 +2520,8 @@ static void qla2x00_els_dcmd_sp_free(srb_t *sp)
 {
 	struct srb_iocb *elsio = &sp->u.iocb_cmd;
 
-	kfree(sp->fcport);
+	if (sp->fcport)
+		kfree(sp->fcport);
 
 	if (elsio->u.els_logo.els_logo_pyld)
 		dma_free_coherent(&sp->vha->hw->pdev->dev, DMA_POOL_SIZE,
@@ -2630,6 +2631,7 @@ qla24xx_els_dcmd_iocb(scsi_qla_host_t *vha, int els_opcode,
 
 	if (!elsio->u.els_logo.els_logo_pyld) {
 		sp->free(sp);
+		kfree(sp->fcport);
 		return QLA_FUNCTION_FAILED;
 	}