scsi: lpfc: Fix use-after-free rport memory access in lpfc_register_remote_port()

Due to a target port D_ID swap, it is possible for the
lpfc_register_remote_port() routine to touch post mortem fc_rport memory
when trying to access fc_rport->dd_data.

The D_ID swap causes a simultaneous call to lpfc_unregister_remote_port(),
where fc_remote_port_delete() reclaims fc_rport memory.

Remove the fc_rport->dd_data->pnode NULL assignment because the following
line reassigns ndlp->rport with an fc_rport object from
fc_remote_port_add() anyways.  The pnode nullification is superfluous.

Signed-off-by: Justin Tee <justin.tee@broadcom.com>
Link: https://lore.kernel.org/r/20230523183206.7728-2-justintee8345@gmail.com
Acked-by: Martin Wilck <mwilck@suse.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>

diff --git a/drivers/scsi/lpfc/lpfc_hbadisc.c b/drivers/scsi/lpfc/lpfc_hbadisc.c
index 67bfdddb897c46141650634bd973d42a03c446d0..63e42e3f2165b088c4840c04358e34e5dd7065d2 100644 (file)
--- a/drivers/scsi/lpfc/lpfc_hbadisc.c
+++ b/drivers/scsi/lpfc/lpfc_hbadisc.c
@@ -4498,14 +4498,6 @@ lpfc_register_remote_port(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp)
        if (vport->load_flag & FC_UNLOADING)
                return;
 
-       /*
-        * Disassociate any older association between this ndlp and rport
-        */
-       if (ndlp->rport) {
-               rdata = ndlp->rport->dd_data;
-               rdata->pnode = NULL;
-       }
-
        ndlp->rport = rport = fc_remote_port_add(shost, 0, &rport_ids);
        if (!rport) {
                dev_printk(KERN_WARNING, &phba->pcidev->dev,