summaryrefslogtreecommitdiff
path: root/drivers/bcma/driver_gmac_cmn.c
diff options
context:
space:
mode:
authorJustin Tee <justin.tee@broadcom.com>2023-09-09 00:19:23 +0300
committerMartin K. Petersen <martin.petersen@oracle.com>2023-09-14 03:51:16 +0300
commitdae40be7a1a72474e225795c0d6f43a4ac596a3f (patch)
tree50c3aeb49b9b68e3fa357c8630e1fa3d3c568e49 /drivers/bcma/driver_gmac_cmn.c
parent9c3034968ed0feeaf72e5b549b19c7767a1a04f2 (diff)
downloadlinux-dae40be7a1a72474e225795c0d6f43a4ac596a3f.tar.xz
scsi: lpfc: Prevent use-after-free during rmmod with mapped NVMe rports
During rmmod, when dev_loss_tmo callback is called, an ndlp kref count is decremented twice. Once for SCSI transport registration and second to remove the initial node allocation kref. If there is also an NVMe transport registration, another reference count decrement is expected in lpfc_nvme_unregister_port(). Race conditions between the NVMe transport remoteport_delete and dev_loss_tmo callbacks sometimes results in premature ndlp object release resulting in use-after-free issues. Fix by not dropping the ndlp object in dev_loss_tmo callback with an outstanding NVMe transport registration. Inversely, mark the final NLP_DROPPED flag in lpfc_nvme_unregister_port when rmmod flag is set. Signed-off-by: Justin Tee <justin.tee@broadcom.com> Link: https://lore.kernel.org/r/20230908211923.37603-1-justintee8345@gmail.com Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Diffstat (limited to 'drivers/bcma/driver_gmac_cmn.c')
0 files changed, 0 insertions, 0 deletions