Patch "scsi: lpfc: Fix use-after-free in lpfc_unreg_rpi() routine" has been added to the 5.15-stable tree

[Sasha Levin <sashal@xxxxxxxxxx>]

This is a note to let you know that I've just added the patch titled

    scsi: lpfc: Fix use-after-free in lpfc_unreg_rpi() routine

to the 5.15-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     scsi-lpfc-fix-use-after-free-in-lpfc_unreg_rpi-routi.patch
and it can be found in the queue-5.15 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit fdbfa328ccca83bddb45005d5a5a3726ffa64660
Author: James Smart <jsmart2021@xxxxxxxxx>
Date:   Wed Oct 20 14:14:13 2021 -0700

    scsi: lpfc: Fix use-after-free in lpfc_unreg_rpi() routine
    
    [ Upstream commit 79b20beccea3a3938a8500acef4e6b9d7c66142f ]
    
    An error is detected with the following report when unloading the driver:
      "KASAN: use-after-free in lpfc_unreg_rpi+0x1b1b"
    
    The NLP_REG_LOGIN_SEND nlp_flag is set in lpfc_reg_fab_ctrl_node(), but the
    flag is not cleared upon completion of the login.
    
    This allows a second call to lpfc_unreg_rpi() to proceed with nlp_rpi set
    to LPFC_RPI_ALLOW_ERROR.  This results in a use after free access when used
    as an rpi_ids array index.
    
    Fix by clearing the NLP_REG_LOGIN_SEND nlp_flag in
    lpfc_mbx_cmpl_fc_reg_login().
    
    Link: https://lore.kernel.org/r/20211020211417.88754-5-jsmart2021@xxxxxxxxx
    Co-developed-by: Justin Tee <justin.tee@xxxxxxxxxxxx>
    Signed-off-by: Justin Tee <justin.tee@xxxxxxxxxxxx>
    Signed-off-by: James Smart <jsmart2021@xxxxxxxxx>
    Signed-off-by: Martin K. Petersen <martin.petersen@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/scsi/lpfc/lpfc_hbadisc.c b/drivers/scsi/lpfc/lpfc_hbadisc.c
index 6f2e07c30f98f..e1c02229c82d9 100644
--- a/drivers/scsi/lpfc/lpfc_hbadisc.c
+++ b/drivers/scsi/lpfc/lpfc_hbadisc.c
@@ -4360,6 +4360,7 @@ lpfc_mbx_cmpl_fc_reg_login(struct lpfc_hba *phba, LPFC_MBOXQ_t *pmb)
 			 ndlp->nlp_state);
 
 	ndlp->nlp_flag |= NLP_RPI_REGISTERED;
+	ndlp->nlp_flag &= ~NLP_REG_LOGIN_SEND;
 	ndlp->nlp_type |= NLP_FABRIC;
 	lpfc_nlp_set_state(vport, ndlp, NLP_STE_UNMAPPED_NODE);