scsi: libfc: Fix use after free in fc_exch_abts_resp()

PlaidCat · PlaidCat · commit d8568036c766 · 2025-10-21T12:18:04.000-04:00
jira VULN-49951 cve CVE-2022-49114 commit-author Jianglei Nie <niejianglei2021@163.com> commit 271add1 fc_exch_release(ep) will decrease the ep's reference count. When the reference count reaches zero, it is freed. But ep is still used in the following code, which will lead to a use after free. Return after the fc_exch_release() call to avoid use after free. Link: https://lore.kernel.org/r/20220303015115.459778-1-niejianglei2021@163.com Reviewed-by: Hannes Reinecke <hare@suse.de> Signed-off-by: Jianglei Nie <niejianglei2021@163.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> (cherry picked from commit 271add1) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
diff --git a/drivers/scsi/libfc/fc_exch.c b/drivers/scsi/libfc/fc_exch.c
@@ -1701,6 +1701,7 @@ static void fc_exch_abts_resp(struct fc_exch *ep, struct fc_frame *fp)
 	if (cancel_delayed_work_sync(&ep->timeout_work)) {
 		FC_EXCH_DBG(ep, "Exchange timer canceled due to ABTS response\n");
 		fc_exch_release(ep);	/* release from pending timer hold */
+		return;
 	}
 
 	spin_lock_bh(&ep->ex_lock);

Original file line number	Diff line number	Diff line change
`@@ -1701,6 +1701,7 @@ static void fc_exch_abts_resp(struct fc_exch ep, struct fc_frame fp)`
`1701`	`1701`	`if (cancel_delayed_work_sync(&ep->timeout_work)) {`
`1702`	`1702`	`FC_EXCH_DBG(ep, "Exchange timer canceled due to ABTS response\n");`
`1703`	`1703`	`fc_exch_release(ep); /* release from pending timer hold */`
	`1704`	`+ return;`
`1704`	`1705`	`}`
`1705`	`1706`
`1706`	`1707`	`spin_lock_bh(&ep->ex_lock);`