We have a very reproducible test case that hit the problem this fixes. Reviewed-by: Ewan D. Milne <emilne@xxxxxxxxxx> On Fri, Sep 8, 2023 at 5:08 PM Justin Tee <justintee8345@xxxxxxxxx> wrote: > > When a dev_loss_tmo event occurs, an ndlp lock is taken before checking > nlp_flag for NLP_DROPPED. There is an attempt to restore the ndlp lock > when exiting the if statement, but the nlp_put kref could be the final > decrement causing a use-after-free memory access on a released ndlp object. > > Instead of trying to reacquire the ndlp lock after checking nlp_flag, just > return after calling nlp_put. > > Signed-off-by: Justin Tee <justin.tee@xxxxxxxxxxxx> > --- > drivers/scsi/lpfc/lpfc_hbadisc.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/scsi/lpfc/lpfc_hbadisc.c b/drivers/scsi/lpfc/lpfc_hbadisc.c > index 51afb60859eb..674dd07aae72 100644 > --- a/drivers/scsi/lpfc/lpfc_hbadisc.c > +++ b/drivers/scsi/lpfc/lpfc_hbadisc.c > @@ -203,7 +203,7 @@ lpfc_dev_loss_tmo_callbk(struct fc_rport *rport) > ndlp->nlp_flag |= NLP_DROPPED; > spin_unlock_irqrestore(&ndlp->lock, iflags); > lpfc_nlp_put(ndlp); > - spin_lock_irqsave(&ndlp->lock, iflags); > + return; > } > > spin_unlock_irqrestore(&ndlp->lock, iflags); > -- > 2.38.0 >
