lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20241105130835.4447-1-chenqiuji666@gmail.com>
Date: Tue,  5 Nov 2024 21:08:35 +0800
From: Qiu-ji Chen <chenqiuji666@...il.com>
To: james.smart@...adcom.com,
	dick.kennedy@...adcom.com,
	James.Bottomley@...senPartnership.com,
	martin.petersen@...cle.com
Cc: linux-scsi@...r.kernel.org,
	linux-kernel@...r.kernel.org,
	baijiaju1990@...il.com,
	Qiu-ji Chen <chenqiuji666@...il.com>,
	stable@...r.kernel.org
Subject: [PATCH] scsi: lpfc: Fix improper handling of refcount in lpfc_bsg_hba_set_event()

This patch fixes a reference count handling issue in the function 
lpfc_bsg_hba_set_event(). In the branch 
if (evt->reg_id == event_req->ev_reg_id), the function calls 
lpfc_bsg_event_ref(), which increments the reference count of the 
associated resource. However, in the subsequent branch 
if (&evt->node == &phba->ct_ev_waiters), a new evt is allocated, but the 
old evt should be released at this point. Failing to do so could lead to 
issues.

To resolve this issue, we added a release instruction at the beginning of 
the next branch if (&evt->node == &phba->ct_ev_waiters), ensuring that the 
resources allocated in the previous branch are properly released, thereby 
preventing a reference count leak.

This bug was identified by an experimental static analysis tool developed
by our team. The tool specializes in analyzing reference count operations
and detecting potential issues where resources are not properly managed.
In this case, the tool flagged the missing release operation as a
potential problem, which led to the development of this patch.

Fixes: 4cc0e56e977f ("[SCSI] lpfc 8.3.8: (BSG3) Modify BSG commands to operate asynchronously")
Cc: stable@...r.kernel.org
Signed-off-by: Qiu-ji Chen <chenqiuji666@...il.com>
---
 drivers/scsi/lpfc/lpfc_bsg.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/scsi/lpfc/lpfc_bsg.c b/drivers/scsi/lpfc/lpfc_bsg.c
index 85059b83ea6b..3a65270c5584 100644
--- a/drivers/scsi/lpfc/lpfc_bsg.c
+++ b/drivers/scsi/lpfc/lpfc_bsg.c
@@ -1200,6 +1200,9 @@ lpfc_bsg_hba_set_event(struct bsg_job *job)
 	spin_unlock_irqrestore(&phba->ct_ev_lock, flags);
 
 	if (&evt->node == &phba->ct_ev_waiters) {
+		spin_lock_irqsave(&phba->ct_ev_lock, flags);
+		lpfc_bsg_event_unref(evt);
+		spin_unlock_irqrestore(&phba->ct_ev_lock, flags);
 		/* no event waiting struct yet - first call */
 		dd_data = kmalloc(sizeof(struct bsg_job_data), GFP_KERNEL);
 		if (dd_data == NULL) {
-- 
2.34.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ