Patch "scsi: qedi: Fix use after free bug in qedi_remove()" has been added to the 6.1-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Fri, 12 May 2023 02:38:18 -0400

This is a note to let you know that I've just added the patch titled

    scsi: qedi: Fix use after free bug in qedi_remove()

to the 6.1-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     scsi-qedi-fix-use-after-free-bug-in-qedi_remove.patch
and it can be found in the queue-6.1 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 59207ef7834d297945289476e10749b5f7354f04
Author: Zheng Wang <zyytlz.wz@xxxxxxx>
Date:   Thu Apr 13 11:34:22 2023 +0800

    scsi: qedi: Fix use after free bug in qedi_remove()
    
    [ Upstream commit c5749639f2d0a1f6cbe187d05f70c2e7c544d748 ]
    
    In qedi_probe() we call __qedi_probe() which initializes
    &qedi->recovery_work with qedi_recovery_handler() and
    &qedi->board_disable_work with qedi_board_disable_work().
    
    When qedi_schedule_recovery_handler() is called, schedule_delayed_work()
    will finally start the work.
    
    In qedi_remove(), which is called to remove the driver, the following
    sequence may be observed:
    
    Fix this by finishing the work before cleanup in qedi_remove().
    
    CPU0                  CPU1
    
                         |qedi_recovery_handler
    qedi_remove          |
      __qedi_remove      |
    iscsi_host_free      |
    scsi_host_put        |
    //free shost         |
                         |iscsi_host_for_each_session
                         |//use qedi->shost
    
    Cancel recovery_work and board_disable_work in __qedi_remove().
    
    Fixes: 4b1068f5d74b ("scsi: qedi: Add MFW error recovery process")
    Signed-off-by: Zheng Wang <zyytlz.wz@xxxxxxx>
    Link: https://lore.kernel.org/r/20230413033422.28003-1-zyytlz.wz@xxxxxxx
    Acked-by: Manish Rangankar <mrangankar@xxxxxxxxxxx>
    Reviewed-by: Mike Christie <michael.christie@xxxxxxxxxx>
    Signed-off-by: Martin K. Petersen <martin.petersen@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/scsi/qedi/qedi_main.c b/drivers/scsi/qedi/qedi_main.c
index df2fe7bd26d1b..f530bb0364939 100644
--- a/drivers/scsi/qedi/qedi_main.c
+++ b/drivers/scsi/qedi/qedi_main.c
@@ -2450,6 +2450,9 @@ static void __qedi_remove(struct pci_dev *pdev, int mode)
 		qedi_ops->ll2->stop(qedi->cdev);
 	}
 
+	cancel_delayed_work_sync(&qedi->recovery_work);
+	cancel_delayed_work_sync(&qedi->board_disable_work);
+
 	qedi_free_iscsi_pf_param(qedi);
 
 	rval = qedi_ops->common->update_drv_state(qedi->cdev, false);






