diff mbox series

scsi: bfa: fix use-after-free in bfad_im_module_exit()

Message ID 20241023011809.63466-1-yebin@huaweicloud.com
State New
Headers show
Series scsi: bfa: fix use-after-free in bfad_im_module_exit() | expand

Commit Message

Ye Bin Oct. 23, 2024, 1:18 a.m. UTC 
From: Ye Bin <yebin10@huawei.com>

There's issue as follows:
BUG: KASAN: slab-use-after-free in __lock_acquire+0x2aca/0x3a20
Read of size 8 at addr ffff8881082d80c8 by task modprobe/25303

Call Trace:
 <TASK>
 dump_stack_lvl+0x95/0xe0
 print_report+0xcb/0x620
 kasan_report+0xbd/0xf0
 __lock_acquire+0x2aca/0x3a20
 lock_acquire+0x19b/0x520
 _raw_spin_lock+0x2b/0x40
 attribute_container_unregister+0x30/0x160
 fc_release_transport+0x19/0x90 [scsi_transport_fc]
 bfad_im_module_exit+0x23/0x60 [bfa]
 bfad_init+0xdb/0xff0 [bfa]
 do_one_initcall+0xdc/0x550
 do_init_module+0x22d/0x6b0
 load_module+0x4e96/0x5ff0
 init_module_from_file+0xcd/0x130
 idempotent_init_module+0x330/0x620
 __x64_sys_finit_module+0xb3/0x110
 do_syscall_64+0xc1/0x1d0
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
 </TASK>

Allocated by task 25303:
 kasan_save_stack+0x24/0x50
 kasan_save_track+0x14/0x30
 __kasan_kmalloc+0x7f/0x90
 fc_attach_transport+0x4f/0x4740 [scsi_transport_fc]
 bfad_im_module_init+0x17/0x80 [bfa]
 bfad_init+0x23/0xff0 [bfa]
 do_one_initcall+0xdc/0x550
 do_init_module+0x22d/0x6b0
 load_module+0x4e96/0x5ff0
 init_module_from_file+0xcd/0x130
 idempotent_init_module+0x330/0x620
 __x64_sys_finit_module+0xb3/0x110
 do_syscall_64+0xc1/0x1d0
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 25303:
 kasan_save_stack+0x24/0x50
 kasan_save_track+0x14/0x30
 kasan_save_free_info+0x3b/0x60
 __kasan_slab_free+0x38/0x50
 kfree+0x212/0x480
 bfad_im_module_init+0x7e/0x80 [bfa]
 bfad_init+0x23/0xff0 [bfa]
 do_one_initcall+0xdc/0x550
 do_init_module+0x22d/0x6b0
 load_module+0x4e96/0x5ff0
 init_module_from_file+0xcd/0x130
 idempotent_init_module+0x330/0x620
 __x64_sys_finit_module+0xb3/0x110
 do_syscall_64+0xc1/0x1d0
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Above issue happens as follows:
bfad_init
  error = bfad_im_module_init()
    fc_release_transport(bfad_im_scsi_transport_template);
  if (error)
    goto ext;
ext:
  bfad_im_module_exit();
    fc_release_transport(bfad_im_scsi_transport_template);
    --> Trigger double release
 To solve above issue if call bfad_im_module_init() failed don't call
 bfad_im_module_exit().

Fixes: 7725ccfda597 ("[SCSI] bfa: Brocade BFA FC SCSI driver")
Signed-off-by: Ye Bin <yebin10@huawei.com>
---
 drivers/scsi/bfa/bfad.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

Comments

Martin K. Petersen Nov. 14, 2024, 2:50 a.m. UTC | #1 
On Wed, 23 Oct 2024 09:18:09 +0800, Ye Bin wrote:

> There's issue as follows:
> BUG: KASAN: slab-use-after-free in __lock_acquire+0x2aca/0x3a20
> Read of size 8 at addr ffff8881082d80c8 by task modprobe/25303
> 
> Call Trace:
>  <TASK>
>  dump_stack_lvl+0x95/0xe0
>  print_report+0xcb/0x620
>  kasan_report+0xbd/0xf0
>  __lock_acquire+0x2aca/0x3a20
>  lock_acquire+0x19b/0x520
>  _raw_spin_lock+0x2b/0x40
>  attribute_container_unregister+0x30/0x160
>  fc_release_transport+0x19/0x90 [scsi_transport_fc]
>  bfad_im_module_exit+0x23/0x60 [bfa]
>  bfad_init+0xdb/0xff0 [bfa]
>  do_one_initcall+0xdc/0x550
>  do_init_module+0x22d/0x6b0
>  load_module+0x4e96/0x5ff0
>  init_module_from_file+0xcd/0x130
>  idempotent_init_module+0x330/0x620
>  __x64_sys_finit_module+0xb3/0x110
>  do_syscall_64+0xc1/0x1d0
>  entry_SYSCALL_64_after_hwframe+0x77/0x7f
>  </TASK>
> 
> [...]

Applied to 6.13/scsi-queue, thanks!

[1/1] scsi: bfa: fix use-after-free in bfad_im_module_exit()
      https://git.kernel.org/mkp/scsi/c/178b8f38932d
diff mbox series

Patch

diff --git a/drivers/scsi/bfa/bfad.c b/drivers/scsi/bfa/bfad.c
index 19675a6e0780..6aa1d3a7e24b 100644
--- a/drivers/scsi/bfa/bfad.c
+++ b/drivers/scsi/bfa/bfad.c
@@ -1673,9 +1673,8 @@  bfad_init(void)
 
 	error = bfad_im_module_init();
 	if (error) {
-		error = -ENOMEM;
 		printk(KERN_WARNING "bfad_im_module_init failure\n");
-		goto ext;
+		return -ENOMEM;
 	}
 
 	if (strcmp(FCPI_NAME, " fcpim") == 0)